A critical elevation of privilege (EoP) vulnerability in Microsoft Outlook was recently discovered, which allows threat actors to potentially steal New Technology LAN Manager (NTLM) credentials, authenticate, escalate privileges, and gain access to victim's Windows environments. This vulnerability is especially noteworthy since user interaction is not required, and the victim is affected the moment the email reaches their inbox. In this advisory, we will discuss the technical details of the vulnerability, the exposure and risk, and provide recommendations to mitigate the impact of the vulnerability.
 

What is the Threat?

CVE-2023-23397 is a critical EoP vulnerability that exists within Microsoft Outlook. This vulnerability occurs when a threat actor sends a message with an extended Messaging Application Programming Interface (MAPI) property with a Server Message Block (SMB) share path on a malicious server. The user interaction with the message is not required. This connection to the threat actor’s remote server then exposes the NTLM credentials of the victim. It is then used by the threat actor to authenticate into the victim’s systems that use NTLM authentication, leading to privileges being escalated. All supported versions of Microsoft Outlook for Windows are impacted by CVE-2023-23397.
 

Why is it Noteworthy?

Microsoft Outlook is one of the most widely used email clients globally, and this vulnerability impacts all supported versions of Microsoft Outlook for Windows. CVE-2023-23397 has received a Common Vulnerability Scoring System (CVSS) critical base score of 9.8 out of 10 according to NIST’s National Vulnerability Database. This vulnerability is especially noteworthy since user interaction is not required, and the victim is affected the moment the email reaches their inbox. Businesses utilizing Microsoft Outlook on the Windows operating system are directly affected by this EoP vulnerability and should assess their systems carefully.
 

What is the Exposure or Risk?

Elevation of privilege vulnerabilities are deemed critical since this can lead to full access to all systems in a victim's environment. For this vulnerability, it leads to the exposure of sensitive credentials, allowing threat actors to relay them back into the victim’s Outlook environment. Due to the nature of Microsoft Outlook, personal and confidential data within these environments are at risk of being exposed when this vulnerability is exploited. However, Microsoft has recently provided mitigation efforts against CVE-2023-23397.
  

What are the Recommendations?

To limit the impact of this Microsoft Outlook vulnerability, Enterprotect recommends the following actions:

• Immediately install the Outlook security update: Microsoft has released a security update to address CVE-2023-23397. All businesses should ensure that they have installed this update, regardless of where their email is hosted.

• Perform Microsoft’s Impact Assessment: To ensure that your systems have not been affected by this vulnerability, businesses should perform Microsoft’s Impact Assessment, which includes documentation and a script that can be accessed at https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

• Block TCP 445/SMB outbound from your network: Blocking TCP 445/SMB outbound from your network can prevent the sending of NTLM authentication messages to remote file shares.

• Add users to the Protected Users Security Group on Outlook: Adding users to the Protected Users Security Group on Outlook can prevent the use of NTLM authentication.

By following these recommendations, businesses can limit the impact of this vulnerability and ensure that their systems are secure.

References

For more information about the recommendations mentioned in this advisory, please refer to the following links:

• https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

• https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3

• https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397

• https://nvd.nist.gov/vuln/detail/CVE-2023-23397

Conclusion

CVE-2023-23397 is a critical elevation of privilege vulnerability that exists within Microsoft Outlook. This vulnerability can potentially allow threat actors to steal NTLM credentials, authenticate, escalate privileges, and gain access to victim's Windows environments. The vulnerability is especially noteworthy since user interaction is not required, and the victim is affected the moment the email reaches their inbox. Businesses that utilize Microsoft Outlook on the Windows operating system should assess their systems carefully and take appropriate actions to mitigate the impact of this vulnerability.

By following the recommendations provided by Enterprotect, businesses can ensure that they have the necessary security measures in place to limit the impact of CVE-2023-23397. It is essential to stay vigilant and proactive when it comes to cybersecurity to protect sensitive data and ensure business continuity.

As always, if you have any concerns or questions about this vulnerability or other cybersecurity threats, Enterprotect is available to provide expert advice and support. Contact us today to learn more about how we can help protect your business from cyber threats.