Microsoft Outlook Vulnerability Alert

Microsoft has confirmed a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email.

Microsoft released a patch for the security flaw, but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022.

Background:

On 14th March 2023, Microsoft released a security update guide for a critical severity vulnerability CVE-2023-23397. This vulnerability targets Microsoft Outlook and allows NTLM credentials theft which could be used for privilege escalation attacks.

What is the issue?

An attacker can send an email to the victim with an extended MAPI (Microsoft Outlook Messaging API) property with a UNC (Universal Naming Convention - A string format that specifies the location of a resource) path to an attacker-controlled SMB (TCP 445) share. Once Outlook receives this message it initiates an NTLM authentication with this SMB share server. There is no user interaction required to trigger this vulnerability. The attacker can then use this connection's NTLM negotiation message and relay this authentication against other systems that support NTLM authentication. 

According to Microsoft, “An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.”

What systems are impacted?

This impacts all versions of Microsoft Outlook for Windows. As per the Microsoft blog, other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected

• Microsoft Outlook 2016 (64-bit edition)
• Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
• Microsoft Outlook 2013 RT Service Pack 1
• Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2019 for 32-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Outlook 2016 (32-bit edition)
• Microsoft Office LTSC 2021 for 32-bit editions

Microsoft has also provided impact assessment scripts at https://aka.ms/CVE-2023-23397ScriptDoc and detailed the steps to run the script to evaluate the impact.

What can you do to protect yourself?

• Install the Microsoft Outlook Security update to mitigate the issue.
• Block all outbound TCP445/SMB connections from going outside your network.
• The Microsoft security guide for this CVE also suggests adding users to Protected Users Security Group, which prevents the use of NTLM authentication mechanism. This mitigation could be applied till the security updates are applied since this can impact applications that use NTLM authentication for their regular operation. This can be used to protect high value domain admin accounts. Once the security updates are applied, the users can be moved out of the protected users security group allowing them to use NTLM authentication again.
• Multi-Factor Authentication
• Enforce SMB Signing
• Disable WebClient service
• Disable “Show Reminders” setting in Outlook

Don't know how to find out if you're impacted or how to remediate the vulnerability? Get in touch with HBS. We will assign one of our skilled engineers to evaluate and remediate security risks related to this vulnerability.

You can reach out to your account manager for assistance or click the button below, and our team will get you in touch with one of our solution consultants.