Advisory No: TZCERT/SA/2023/03/17
Date of First Release: 17th March 2023
Software Affected: Microsoft Outlook for Windows
Microsoft has released security patches to address the elevation of privilege vulnerability affecting Outlook for Windows. Microsoft Outlook is a personal information manager software from Microsoft for email clients that has several features such as calendaring, task manager, contact managing, note-taking, journal logging, etc. This vulnerability could allow an attacker to take control of an affected system.
This vulnerability is tracked as CVE-2023-23397 (CVSS score: 9.1). It is caused by the receipt of a crafted Outlook MSG file where the ”PidLidReminderFileParameter” is set to a Threat-Controlled SMB Resource (IP Address) will trigger the NTLM Authentication to the Threat-Controlled Server whether or not the email has been viewed. This allows NTLM credential theft that requires no user interaction.
The connection to the Threat-Controlled Server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.
Successful exploitation of this vulnerability may allow the attacker to control of the affected system.
- Add users to the Protected Users Security Group, this prevents the use of NTLM as an authentication mechanism.
- In a firewall setting, block all TCP 445/SMB outbound from your network. This will prevent the sending of NTLM authentication messages to the remote file shares.