Description
CVE-2023-23397 is a zero-interaction vulnerability in Microsoft Outlook patched in the March 14, 2023 Patch Tuesday release. This vulnerability was reported to Microsoft as exploited in the wild by CERT-UA (Ukrainian CERT) which has strongly implied nation-state exploitation. Microsoft has released an advisory via MSRC. Although the vulnerability is technically an elevation of privilege (EoP) vulnerability, under certain conditions, the impact of this vulnerability is functionally equivalent to an authentication bypass.
Affected products include:
- All versions of Microsoft Outlook for Windows are impacted.
- Versions of Microsoft Outlook for Mac, iOS, Android, Outlook web access, and Microsoft 365 are not affected.
Technical analysis
Rapid7 analysts have corroborated MDSec’s analysis of the audit script provided by Microsoft. According to this analysis, the vulnerability results from the receipt of a crafted Outlook MSG file where the ”PidLidReminderFileParameter” – a message property that accepts a universal naming convention (UNC) path – is set to an attacker-controlled resource, such as an IP address.
By setting this parameter to an external IP, it will trigger NTLM authentication to this IP address whether or not the email has been viewed in the preview pane. That is, the connection to the attacker-controlled SMB server will send the user’s NTLM negotiation message, which allows an attacker to relay that message to authenticate against other systems that support NTLM authentication. In effect, this means that the receipt of a crafted MSG file can result in user impersonation against certain systems – essentially an authentication bypass.
Guidance
Microsoft Outlook users are encouraged to patch as soon as possible. Additionally, outbound connections on port 445 should be blocked by a firewall.
Adding users to the Protected Users Security Group will prevent the use of NTLM as an authentication mechanism, but may impact applications that require NTLM.
Microsoft has provided documentation and a script to determine if your organization was targeted by threat actors.
References
