On March 14, Microsoft released the regular Patch tuesday. During this patch Tuesday, Microsoft released 74 new patches addressing CVEs within Microsoft products.
Exploiting this vulnerability would allow an unauthenticated attacker to access the victim’s Net-NTLMv2 hash by sending a malicious meeting invite. Abusing this hash would allow the attacker to perform a relay attack and impersonate the user which could result in lateral movement and potentially privilege escalation within the active directory environment.
It is important to note that the user doesn’t have to open the email in order to be exploited.
Is there a risk?
XM Cyber research team reproduced the exploit to examine the likelihood of being attacked.
The exploit development wasn’t complex, which indicates that the risk of this vulnerability is very high.
We used the following code to create a crafted appointment and to save it before sending it to the victim.
When the victim receives the appointment it will trigger NTLM authentication to the IP address crafted in the PidLidReminderFileParameter parameter.
The attacker can then relay the incoming request to a service and impersonate the victim.
Given the widespread use of Microsoft Outlook, this vulnerability would allow the attacker to perform relay attacks, abusing the domain user that uses Outlook locally. This vulnerability could cause significant harm to any organization.
Who is affected?
According to Microsoft, all Outlook versions for Windows are considered vulnerable. During March Patch Tuesday, Microsoft released a patch for all Outlook versions.
What should you do?
Firstly, Microsoft has released a patch to fix the vulnerability. If you are using any of the affected products listed in the CVE-2023-23397, go and patch immediately.
In case, it’s currently not possible to patch the Outlook version, you can do the following workarounds to prevent this vulnerability from being executed or triggered on your machines.
- Enforce SMB Signing both on clients and servers. This will prevent the relay attack.
- As a best practice, Microsoft also recommends adding users to the Protected Users group in Active Directory. This will force user authentication to be with Kerberos authentication rather than NTLM. It is important to note that this might have an impact on applications that require NTLM authentication.
- Block Port TCP 445/SMB and WebDav as well.
Identifying CVE-2023-23397 with XM Cyber
The XM Cyber Research team is working on adding CVE-2023-23397 to the XM platform, to identify the vulnerability in XM Vulnerability Managemment module.
Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how.
The XM Cyber Research team is continuously analyzing the impact of the new vulnerability. As this situation is moving fast, we will provide best practices and prioritized remediation guidance when available in this blog.
The XM Cyber Research team will continue updating this blog advisory as more details emerge.