Microsoft Outlook Zero Day Vulnerability CVE-2023-23397 Exploited

Outlook Vulnerability Allows Zero-Click Attackers to Compromise User Authentication

An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. 

Khuram Hussain, a certified ethical hacker at Holm Security, said:

“This flaw is simple to exploit and importantly requires no user interaction, making this a zero-click vulnerability. Proof-of-concept exploits have already been developed, and given the ubiquity of Outlook, now that the vulnerability is known, we believe it is only a matter of time before it is incorporated by the strategies of threat actors worldwide.” 

General

In Microsoft's Patch Tuesday, the news broke of an Outlook Elevation of Privilege Vulnerability (CVE-2023-23397). Microsoft released a patch for this vulnerability and security updates covering nearly all their other services, from Azure to Microsoft 365 apps (for enterprise) to Outlook 2013 SP1. Microsoft later published a blog post focusing on its handling of this vulnerability.  

In it, Microsoft assessed that the vulnerability had been subject to targeted but limited attacks by Russian-based threat actors. The exploit was used in attacks against a limited number of organizations in Europe's government, transportation, energy, and military sectors. 

This flaw affects on-prem versions of Microsoft Outlook for Windows (Microsoft 365 Apps for Enterprise, Office 2013, 2016, and 2019, including LTSC) but not Outlook for Mac, iOS, or Android, and Outlook on the web because these services do not support NTLM authentication and therefore are not vulnerable to being attacked. 

However, the CVSS attack complexity is rated “Low” and as such Holm Security is urging users to implement a patch as soon as possible.

Description 

No-User-Interaction & Zero Click Vulnerability

 This vulnerability is particularly dangerous because it allows a remote and unauthenticated attacker to retrieve the victim's credentials just by sending a specially formatted appointment to the user, which does not even need to be opened by the target's application since it triggers automatically when it is retrieved and processed by the Outlook client. 

The expired appointment sent by the attacker populates specific built-in properties that point to a UNC path, which provokes Windows to send the user’s login name and NTLM password hash to a location controlled by the attacker. Since the message is an appointment, Outlook processes it without any interaction from the user, who could remain completely unaware of what is happening. 

Once received, the leaked Net-NTLMv2 hash, which is the challenge-response protocol used for authentication in Windows environments, can then be used by the attacker as a basis of an NTLM Relay attack against other services and systems to authenticate as the victim. 

Impact

Successful exploitation of this vulnerability will allow an attacker to obtain the user's hashed NTLM credentials and use them to access the user's other systems that support NTLM authentication.

Ease of Exploit

CVE-2023-23397 has a CVSSv2 10.0 score and a CVSSv3.1 score of 9.8.

Researchers at MDSec developed a functional proof-of-concept for CVE-2023-23397 within 1 day of release, emphasising the low rating of attack complexity.

Known vulnerabilities typically provide the greatest risk to organisations today. Combined with the simplicity with which CVE-2023-23397 can be exploited, and its Zero Click Vulnerability nature, it is a matter of time before this is adopted by a multitude of threat actors.

Google-owned threat intelligence company, Mandiant, says that it believes the CVE-2023-23397 Microsoft Outlook zero-day vulnerability has been exploited for nearly a year in order to target both organizations and critical infrastructure. Mandiant also say that multiple proofs-of-concept are now widely available. Since the exploit is a no-user-interaction exploit, the potential for harm is very high.

Mitigation

Microsoft has released security updates (currently for Outlook 2016 and 2013 SP1, 32-bit, and 64-bit editions) and mitigation steps to protect against this vulnerability. To mitigate the vulnerability (in order of priority):

1. Disable outbound 445/TCP to stop the NTLM traffic.
2. Patch Outlook with the security updates provided by Microsoft. If the patch for the version of Outlook running in your organization is unavailable, update Outlook to a supported version.
3. Add users (especially those with administrative privileges) to the Protected Users Security Group to prevent their usage of NTLM as an authentication. This may cause an impact on applications that require NTLM, however, once the user is removed from the Protected Users Group the settings will revert.
4. Lastly, to find and remove suspicious items from your system, run the PowerShell script developed by Microsoft (See references).

Holm Security Vulnerability Management Platform – Detection Instructions

The detection script has already been released, and you can perform authenticated scans in Security Center to scan for the vulnerability.

For more information on this please visit our helpdesk article. 

We will keep you updated as additional information becomes available.