Skip to content

Update for Microsoft Outlook Elevation of Privilege Vulnerability - 20230327002

Overview

Microsoft released updates regarding CVE-2023-23397 mitigations and impact assessment.

Microsoft has released:

What is the vulnerability?

CVE-2023-23397 - CVSS v3 Base Score: 9.1

CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required.

The threat actor uses a connection to the remote SMB server and sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.

What is vulnerable?

Microsoft Outlook 2016 (32-bit edition)

Microsoft Outlook 2016 (64-bit edition)

Microsoft Outlook 2013 Service Pack 1 (32-bit editions)

Microsoft Outlook 2013 Service Pack 1 (64-bit editions)

Microsoft Office 2019 for 32-bit editions

Microsoft Office 2019 for 64-bit editions

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft 365 Apps for Enterprise for 64-bit Systems

Microsoft Office LTSC 2021 for 32-bit editions

Microsoft Office LTSC 2021 for 64-bit editions

Microsoft Outlook 2013 RT Service Pack 1

Recommendation

If possible, run the CVE-2023-23397 check script to search for potential exploitation attempts.

Microsoft Incident Response recommends the following steps:

  • Ensure Microsoft Outlook is updated as soon as possible to mitigate the issue. If patching is not immediately possible, ensuring you have implemented these security best practices can help mitigate this threat:
  • Add users to the Protected Users group, which prevents the use of NTLM as an authentication mechanism. This might impact applications that require NTLM, but the settings will revert once the user is removed from the Protected Users group. This makes troubleshooting easier than other methods of disabling NTLM authentication. The Protected Users group provides credential protections beyond disabling NTLM and should be used for high-value accounts, such as domain administrators, when possible.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, local firewall, and through your VPN settings. This helps prevent the exploitation of CVE-2023-23397 to send NTLM authentication messages to remote file shares. For remote users, it is important to check split tunnel VPN settings to ensure outbound traffic is blocked when they are not on your corporate network.
  • For organizations using on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
  • Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
  • For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.