Updated late March 15 with news of a POC landing, and earlier March 15 to remove the RCE reference from the headline; strictly this is an EOP vulnerability. See also our updated piece of March 17 here.
A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and demands urgent patching. CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient's credentials.
It gets worse: The victim doesn’t even need to open the malicious email: As Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “[The email] triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
Join peers following The Stack on LinkedIn
The critical Microsoft Outlook vulnerability affects both 32 and 64-bit versions of Microsoft 365 Apps for Enterprise. Office 2013, 2016, and 2019 (as well as LTSC) are also vulnerable to attack, which is triggered by a malicious email that causes a connection from the victim to a location under attacker control; leaking the Net-NTLMv2 hash (challenge response protocols used for authentication in Windows environments) of the victim to the attacker who can then relay this to another service and authenticate as the victim.
Short version: Poisoned email doesn’t even need to be opened to pop your security. Very bad news.
(Microsoft has a detailed pdf on Pass-the-Hash attacks against the Windows operating systems available for download here which it links to in this week's guidance. Readers, do note that the pdf is over a decade old.)
Microsoft Outlook vulnerability CVE-2023-23397 mitigations
Microsoft notes that potentially helpful mitigation may be adding users to the “Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible” but warns that “this may cause impact to applications that require NTLM, however the settings will revert once the user is removed” from the Protected Users Security Group.
Redmond also suggests that admins block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings: “This will prevent the sending of NTLM authentication messages to remote file shares” it adds in guidance for tackling CVE-2023-23397.
It attributed the find to CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence.
Some 15 European government, military, energy, and transportation organisations were targeted using the exploit between mid-April and December 2022 [we suspect that they did not stop then], a threat analytics report sent to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions said, as reported by Bleeping Computer, which said the note attributes the attacks to Russian military intelligence (variously tracked as APT28, Fancy Bear, Sednit, Sofacy, or STRONTIUM...)
More widespread attacks are likely to follow as the patch is reverse-engineered and offensive security researchers including at cybercrime groups identify how the exploit works.
UPDATED hours later: Yes, here we are...
Get our LinkedIn newsletter with a single click
As the Zero Day Initiative notes: “This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.”
Gal Sadeh, Head of Data and Security Research, Silverfort, notes that another critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should also be a priority “as it allows unauthenticated attackers to run remote commands on a target machine. Threat actors could use this to attack Domain Controllers, which are open by default. To mitigate, we recommend Domain Controllers only allow RPC from authorized networks and RPC traffic to unnecessary endpoints and servers is limited.” Not a good Patch Tuesday...