Microsoft Outlook for Windows 0-Day Vulnerability - CVE-2023-23397

16 Mar / 2023

Microsoft Outlook for Windows 0Day vulnerability

CVE: CVE-2023-23397

WHAT IS VULNERABLE?

  • All versions of Outlook for Windows
  • Outlook Web Access, Mobile and MacOS are unaffected.

WHAT IS HAPPENING?

  • Microsoft recently published an update for Outlook for Windows that patches a previously unknown vulnerability.
  • This vulnerability in Outlook allows an attacker to steal Credentials using NTLM and a malicious server without user intervention.
  • This attacker behaviour has been seen in the wild and is being actively exploited.

KEY FACTS

  • Attackers are using a Privilege Escalation Vulnerability in Outlook to steal NTLM credentials BEFORE the user opens the malicious email.
  • They do this by sending an email with a malicious extended MAPI property supplying a UNC path that does not need to be in your environment.
  • This UNC path is for an SMB Share on an attacker-controlled server.
  • The connection to the SMB Share sends the Users NTLM negotiation message.
  • This allows the malicious actor to use that NTLM negotiation message against other systems in your environment that support NTLM.

WHAT YOU CAN DO?

ASSESSING FOR POSSIBLE IMPACT

  • To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.
  • Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.
  • If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.

Cythera is committed to protecting our customers from cyber threats and ensuring their business continuity.

Resources

You may be interested in

Cyber Insurance And Penetration Testing: How Australian Businesses Can Mitigate Cyber Risk

Cyber Insurance And Penetration Testing: How Australian Businesses Can Mitigate Cyber RiskIn the early 2000s, cyber insurance was a relatively n…

Read More arrow_forward

The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching

CVE: CVE-2021-44228 CVSS Score: 10 (Critical)What Is Vulnerable?: Apache Log4j Version 2.15-rc1 or prior. (All version prior to 2.15-rc1 are vu…

Read More arrow_forward

Fortiguard Firewall heap-based buffer overflow Vulnerability

Fortiguard Firewall heap-based buffer overflow Vulnerability CVE: CVE-2022-42475What is Vulnerable: FortiOS version 7.2.0 through 7.2.2 Forti…

Read More arrow_forward