CVE-2023-23397, a critical vulnerability in Microsoft Outlook, was disclosed as part of the March Patch Tuesday updates. Affecting all Windows versions of Outlook, this vulnerability received a 9.8 CVSS rating. It stands out as a zero-touch exploit, meaning it can be exploited with low complexity and no user interaction.
The vulnerability is exploited by attackers sending a message with a specially crafted property that includes a Universal Naming Convention (UNC) path to a remote server. This exploit triggers even without the recipient viewing the message, via a malicious calendar invite. When the victim’s device connects to the attacker’s server, it inadvertently sends NTLM authentication data, which attackers can use for further unauthorized access or attacks.
CVE-2023-23397 poses a unique threat as it does not require user interaction or high privileges to be exploited. This vulnerability is particularly challenging to defend against due to the difficulty in blocking outbound SMB traffic, especially for remote users. It has been exploited in limited attacks, with Microsoft coordinating with affected parties for remediation. While it affects all supported Windows versions of Outlook, other platforms like Android, iOS, Mac, and web versions are not impacted.
Attack scenarios include NTLM relay attacks for data theft and WebDAV directory traversal for remote code execution. Attackers can leverage these techniques to gain deeper access to systems and networks.
To mitigate this vulnerability, Microsoft advises applying the March 2023 security update immediately. Additional recommended measures include blocking outbound SMB traffic, disabling the WebClient service to cut off WebDAV connections, adding users to the Protected Users Security Group, and enforcing SMB signing. Disabling the “Show reminders” setting in Outlook is also suggested to prevent NTLM credential leaks. A PowerShell script provided by Microsoft can help administrators identify and remove items with the exploitable property.
How can I check if I’m affected?
Microsoft offers a PowerShell script as a remedy for the problem. This script is programmed to sift through emails, calendar events, and task items to check for the presence of the “PidLidReminderFileParameter” property. Administrators can use this script to identify items containing this property, allowing them to either remove or permanently delete these problematic elements.
Download the script here: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md
What can I do to prevent and mitigate CVE-2023-23397?
Here are some steps that security administrators can perform to reduce the risk of exploitation of CVE-2023-23397:
- Immediately implement the patches provided by the vendor. Microsoft has issued a patch in their March 2023 Security Update.
- Restrict outbound TCP 445/SMB traffic in your network, which will stop NTLM authentication messages from being sent to remote file shares. If restricting this traffic is not feasible, it’s advised to monitor and control outbound traffic on port 445, especially targeting unknown external IP addresses.
- Place users in the Protected Users Security Group to disable NTLM authentication, though be aware this might affect NTLM-dependent applications in your network.
- Lastly, mandate SMB signing on both clients and servers as a measure to thwart relay attacks