As part of the March Patch Tuesday fixes, Microsoft has released a critical elevation of privilege (EoP) authentication bypass vulnerability affecting all versions of Windows Outlook. With a CVSS score of 9.8, CVE-2023-23397 is one of two zero-day exploits disclosed on March 14 (the other being CVE-2023-24880).
Here’s what it all means:
What is the CVE-2023-23397 vulnerability?
CVE-2023-23397 is a critical zero-touch exploit triggered when the victim client is prompted and notified. This means that a security gap exists that requires relatively low complexity to abuse and no user interaction.
Utilizing an extended Message Application Program Interface (MAPI), the exploitation routine of this bug is pretty simple: an attacker will send a calendar item to an email recipient’s property in order to transmit a message to the target. This message (.msg file) calendar item arrives at the Outlook email server, then targets the Outlook email client in the form of a calendar invite or reminder.
This will initiate a connection for NTLM Authentication to the attacker target share (SMB – Server Message Block). Finally, WebDAV HTTP communication or responses will be generated by the attacker, thus making the exploit possible for that specific system or others.
The attacker, controlling share-hosting on a server, is able to exploit the vulnerability regardless of whether the recipient has seen the message or not. The malicious calendar invite remotely sent by the attacker triggers the PlayReminderSound, a vulnerable API endpoint using the custom alert sound option for reminders (“PidLidReminderFileParameter”).
Once the victim has connected to the attacker’s SMB server, the user’s New Technology LAN Manager (NTLM) negotiation message is automatically sent following the connection to the remote server, which the attacker can later use for authentication in other systems that are also supported by NTLM authentication.
Does it affect me?
As the most recent authentication protocol used by Windows, NTLMv2 hashes are used for a variety of services that represent user information such as passwords or usernames. This means that threat actors could attempt NTLM relay attacks in order to gain full domain compromise (if the compromised users are admins) or simply gain access to other services.
Even before the message preview appears to the victim, the zero-touch vulnerability could be triggered, which means user interaction is not necessary nor does it require high privileges.
All supported versions of Microsoft Outlook for Windows are affected by this bug and it is also important to note that the Microsoft 365 Windows Outlook app is vulnerable to this flaw, even though other online services such as Microsoft 365 are not susceptible to this attack (since they do not support NTLM authentication).
Other versions of Microsoft Outlook, Outlook on the web, iOS, Android, Mac are not affected.
Has CVE-2023-23397 been actively exploited in the wild?
Limited attacks abusing this security gap have been reported, and remediation has been coordinated by Microsoft with affected victims. Relay attacks have gained notoriety as a common use case for Mimikatz, which exploits the NTLM credential dumping routine via the sekurlsa module. This can lead to pass-the-hat (PtH) attacks, as well as variations of data and information theft. Once attackers are inside the system, they can use the network to move laterally and navigate the organization’s lines through the Server Message Block (SMB).
In addition to these attacks, attackers can leverage WebDAV services to exploit vulnerabilities, particularly in cases where no valid SMB service for Outlook exists or is not configured in the client. Attackers can set up a malicious WebDAV server to respond to affected victim clients with malicious pages that contain code to push payloads for remote code execution, such as webshells.
How to fix CVE-2023-23397
As a solution to the issue, Microsoft has provided a PowerShell script designed to scan calendar entries, task items, and emails to verify whether they have the “PidLidReminderFileParameter” property or not. By running the script, you should be able to locate items with this problematic property and subsequently permanently remove them from the system.
Blocking outbound SMB traffic for remote users is difficult since the attacker could make use of the exact same credentials to gain access to other resources.
To reduce the potential risk of CVE-2023-23397, we strongly recommend taking these steps:
- Apply all Microsoft patches immediately – As part of their March 2023 Monthly Security Update, Microsoft has publicly released a patch.
- Disable the WebClient service, which blocks all WebDAV connections, including the intranet.
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism, although it could impact applications that rely on NTLM in your environment.
- Blocking TCP 445/SMB outbound from your network is also important to prevent the possibility of sending NTLM authentication messages from and to remote file shares. If this is not an option, we strongly advise that you carefully look for unknown external IP addresses and block them, constantly monitoring outbound traffic over port 445.
- Enforce SMB signing on clients and servers to prevent a relay attack.
- Disable the “Show reminders” setting in Outlook to prevent the leak of NTLM credentials.
- To check if you are affected, Microsoft has provided a PowerShell script that scans emails, calendar entries, and task items to verify if they have the “PidLidReminderFileParameter” property. By running the script, administrators can locate problematic items that have this property and subsequently remove or delete them permanently.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Q1 2023 Vulnerability watch report
- MITRE ATTACK framework – Mapping techniques to CVEs
- VulnRX – risk and threat intelligence database
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-25610 in FortiOS
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.