contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Latest news

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Posted on by Prism Infosec

Introduction to CVE-2023-23397

On 14th of March, Microsoft released a security advisory, detailing CVE-2023-23397, a privilege escalation vulnerability, affecting various versions of Microsoft Outlook. The vulnerability has been assigned a CVSS:3.1 score of 9.8 (CRITICAL). 

The vulnerability allows a remote, unauthenticated attacker to access a victim’s Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker.

According to the Microsoft Security Resource Center (MSRC), the vulnerability already been utilised by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe.

Impact of CVE-2023-23397

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.

Furthermore, multiple proof-of-concepts are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high. 

Fixes for CVE-2023-23397

Microsoft has addressed the vulnerability on the 14th of March as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:

  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

Users are advised to apply this patch immediately to avoid potential exploitation of this vulnerability. In addition to applying the patch, users should also review their system configurations to ensure that proper security controls are in place, such as strong access controls and network segmentation. Additionally, organizations should consider implementing security testing and vulnerability scanning to identify and address vulnerabilities before they can be exploited.

References

FILTER RESULTS

Latest tweets

Retweet on Twitter Prism Infosec Retweeted
Innovation News Network @innonewsnetwork ·
25 Mar

Phil Robinson, Principal Consultant at @prisminfosec, details how addressing cyber maturity can improve a business’ cybersecurity strategy.
#CyberMaturity #Cybersecurity

Click the link below to discover more⬇️

Retweet on Twitter Prism Infosec Retweeted
Cyber Essentials @cyberessentials ·
20 Feb

Congratulations to the following companies who are now certified to #CyberEssentials via our great Certification Bodies: Atlantic Limited via @prisminfosec and Ashbrook Research & Consultancy Ltd via @sericsystems

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.