Critical Vulnerability in Microsoft Outlook (CVE-2023-23397)

Advisory No: TZCERT/SA/2023/03/17

Date of First Release: 17^th March 2023

Source: Microsoft

Software Affected:  Microsoft Outlook for Windows

Overview:

Microsoft has released security patches to address the elevation of privilege vulnerability affecting Outlook for Windows. Microsoft Outlook is a personal information manager software from Microsoft for email clients that has several features such as calendaring, task manager, contact managing, note-taking, journal logging, etc. This vulnerability could allow an attacker to take control of an affected system.

Description:

This vulnerability is tracked as CVE-2023-23397 (CVSS score: 9.1). It is caused by the receipt of a crafted Outlook MSG file where the ”PidLidReminderFileParameter” is set to a Threat-Controlled SMB Resource (IP Address) will trigger the NTLM Authentication to the Threat-Controlled Server whether or not the email has been viewed. This allows NTLM credential theft that requires no user interaction.

The connection to the Threat-Controlled Server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.

Impact:

Successful exploitation of this vulnerability may allow the attacker to control of the affected system.

Solution:

1. Add users to the Protected Users Security Group, this prevents the use of NTLM as an authentication mechanism.
2. In a firewall setting, block all TCP 445/SMB outbound from your network. This will prevent the sending of NTLM authentication messages to the remote file shares.

References:

1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

2. https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/