Microsoft recently fixed a zero-day vulnerability in Microsoft Outlook called CVE-2023-23397 that was being actively exploited. This vulnerability could allow an attacker to gain more privileges by accessing the victim’s Net-NTLMv2 challenge-response authentication hash and posing as the user.
Security researchers are warning that it is becoming clear that CVE-2023-23397 is dangerous enough to become the most widespread bug of the year. Since the vulnerability was made public just three days ago, more proof-of-concept (PoC) exploits have appeared. This is sure to increase criminal interest, which is helped by the fact that users don’t have to do anything to be exploited.
If patches can’t be made quickly, there are some other ways to deal with the problem.
Easy Exploit: No User Interaction Necessary
Attackers can get NTLM authentication hashes from the victim by sending them malicious Outlook notes or tasks. When these are retrieved and processed by the Outlook client, the exploit is automatically set off. This could lead to exploitation before the email is even seen in the Preview Pane. In other words, the person who is being attacked doesn’t even have to open the email.
Researchers from Ukraine’s Computer Emergency Response Team (CERT) and one of Microsoft’s own researchers found the bug. It was fixed this week as part of Microsoft’s Patch Tuesday update, and it affects people who run an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are not affected.
Mark Stamford, founder and CEO of OccamSec, says, “External attackers could send specially made emails that would make the victim connect to an external UNC location that the attackers control.” This will give the attacker the victim’s Net-NTLMv2 hash, which the attacker can then send to another service and use to log in as the victim, he says.
A Range of Potential Exploit Impacts
Nick Ascoli, founder and CEO of Foretrace, says that even though Microsoft didn’t say how the criminals were using it in their attacks, the stolen authentication can be used to connect to other computers on the network and move laterally.
“Depending on the victim’s permissions, attacks could include everything from stealing data to installing malware,” he says.
Bud Broomhead, CEO of Viakoo, says, “The likely victims are the ones whose identities are most likely to be used for business email compromise (BEC) and other types of exploits.” He says that this could have an effect on a few things, with identity management and trust in internal email communications being the most important.
“The risks also include breaking into core IT systems, spreading malware, using business email for financial gain, and disrupting business operations and business continuity,” Broomhead warns.
Is This the “It” Bug of 2023?
Viakoo’s Broomhead says that there could be many “It” bugs from Microsoft at this point in 2023, but this one is a strong candidate.
“It affects organisations of all sizes and types, has disruptive ways to fix it, and training employees won’t stop it,” he says. “This could be a vulnerability that needs more work to fix and fix up.”
He says that the attack surface is at least as big as the number of desktop Outlook users, which is a huge number. It could also be as big as the number of core IT systems that are connected to Windows 365, which is a very large number (pretty much everyone).
Then, as was already said, the Proof of Concepts (PoCs) that are being passed around make the situation even more appealing to cybercriminals.
“Since the vulnerability is public and instructions for a proof-of-concept are now well documented, other threat actors may use the vulnerability in malware campaigns and go after a wider audience,” says Daniel Hofmann, CEO of Hornetsecurity. “Overall, taking advantage of the flaw is easy, and proofs-of-concept are already available on GitHub and other open forums.”
What do businesses need to do? Broomhead warns that they may need to look beyond patches: “In this case, mitigation is hard because it changes how email systems and users are set up.”
How to Protect Against CVE-2023-23397
Hofmann from Hornetsecurity says that if a patch can’t be done right away, administrators should use perimeter firewalls, local firewalls, and VPN settings to stop TCP 445/SMB traffic from leaving the network and going to the Internet. This will protect the organisation better.
“This action stops NTLM authentication messages from being sent to remote file shares, which helps to fix CVE-2023-23397,” he says.
To stop NTLM from being used as a method of authentication, organisations should also add users to the “Protected Users Security Group” in Active Directory.
“This method makes troubleshooting easier than other ways to turn off NTLM,” says Broomhead. “It is especially helpful for accounts with a lot of value, like domain administrators.”
He says that Microsoft has made a script to find Exchange messages with UNC paths in the message properties and clean them up or get rid of them. Administrators are told to use the script to find out if they have been affected by the vulnerability and fix it.