Microsoft Outlook bug (CVE-2023-23397) has been exploited in zero-day attacks

CVE-2023-23397

Microsoft’s Patch Tuesday for March 2023 addressed a staggering 74 new vulnerabilities affecting a wide range of its products. Among these vulnerabilities, nine have been classified as ‘Critical,’ but one particular zero-day vulnerability stands out: CVE-2023-23397, which targets Microsoft Outlook. In this article, we’ll delve into the details of this security flaw, its exploitation by a hacking group with ties to Russia’s GRU, and the implications for Outlook users.

A Dangerous Elevation of Privilege

CVE-2023-23397 is a Microsoft Outlook Elevation of Privilege vulnerability with a CVSS3 score of 9.8. It allows specially crafted emails to force a target’s device to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash. This security flaw can grant attackers access to the user’s Net-NTLMv2 hash, which can then be used to launch an NTLM Relay attack against another service and authenticate as the user.

Exploitation by a GRU-linked Hacking Group

The Outlook zero-day vulnerability has been exploited by a hacking group associated with Russia’s military intelligence service, GRU (via bleepingcomputer). This group targeted European organizations between mid-April and December 2022, successfully breaching the networks of fewer than 15 government, military, energy, and transportation organizations. The rapid response from Microsoft in addressing this vulnerability demonstrates the severity of the issue and the importance of user security.

The Preview Pane: A Silent Attack Vector

What makes this vulnerability particularly concerning is that it can be exploited before the user even opens the email in the Preview Pane. The specially crafted email triggers automatically when it is retrieved and processed by the Outlook client, providing a stealthy attack vector for hackers to exploit. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft says in a security advisory.

How Attackers Exploit This Vulnerability

Attackers can exploit CVE-2023-23397 by sending specially crafted emails that force a connection from the victim’s device to an external UNC location under the attackers’ control. This leaks the victim’s Net-NTLMv2 hash to the attacker, who can then relay it to another service and authenticate it as the victim.

Time to Patch

Microsoft’s Patch Tuesday updates for March 2023 have addressed the zero-day vulnerability CVE-2023-23397, which has significant implications for Microsoft Outlook users. With the potential to grant attackers access to sensitive information and the ability to authenticate as a user, it is crucial for users to apply the latest security updates to protect themselves from this dangerous exploit. Stay vigilant, keep your software up-to-date, and always be cautious when opening emails from unfamiliar sources.

The following mitigating factors may be helpful in your situation:

  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

Update:

Today, security researcher Dominic Chell from MDSec published a quick write-up on CVE-2023-23397, which allows a remote adversary to leak NetNTLMv2 hashes.