Microsoft Outlook is affected by CVE-2023-23397, an elevation-of-privilege vulnerability that allows attackers the capability to launch a NTLM Relay attack against another service to authenticate. Although limited attacks were observed, the vulnerability has a low attack complexity rating, meaning that threat actors are likely to utilize it with relative ease – disclosed to have been exploited in attacks since April of 2022. The exploit is triggered when the Outlook client retrieves and processes a malicious message, calendar invite, or task. Cybercriminals thus far have been linked to Russian intelligence services actively exploiting this vulnerability in targeted attacks against government, military, energy, and transportation organizations. It is also worth noting that the vulnerability also has been proven exploitable only in Windows-based versions of Outlook, and not other versions such as macOS. Due to the usage of Outlook in Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing comprehension and understanding of the vulnerability’s exploitation, it is important that organizations prepare themselves and stay on top of any updates concerning CVE-2023-23397.
Threat Synopsis – CVE-2023-23397
Microsoft published a detailed advisory for CVE-2023-23397, a zero-day vulnerability that allows a threat actor to send a specially crafted email to Microsoft Outlook clients on Windows that automatically connects to a UNC location under the actor’s control to receive the Net-NTLMv2 user’s password hash. All Microsoft Outlook products on Windows are affected, but not Outlook for Android, iOS, or macOS. Microsoft recommends that users patch their systems immediately and has released several mitigations for organizations that cannot patch their systems immediately – even providing a script to check for signs of exploitation (It can be found here).
The vulnerability is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message containing the extended MAPI property “PidLidReminderFileParameter” that specifies the filename of the sound that a client should play when the reminder for that object becomes overdue. Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems. Exploitation can occur prior to the email being opened or previewed by the user.