Cybersecurity in the News: Understanding Microsoft Outlook vulnerability, CVE-2023-23397, Mitigation Strategies
Table of Contents
Overview
CVE-2023-23397 is a critical vulnerability that exists in Microsoft Outlook for Windows. This vulnerability could result in an elevation of privileges without requiring any user interaction. Exploiting this vulnerability involves a threat actor sending a victim an Outlook appointment that tricks the target computer into connecting to an attacker-controlled server. The victim does not need to open or view the malicious calendar invitation in the Preview Pane.
How Does it Work?
The attacker crafts a malicious calendar invite that contains a UNC path within the PidLidReminderFileParameter. The PidLidReminderFileParameter is used to specify the exact file path of the sound that should play as a reminder of the appointment. Outlook will attempt to retrieve the custom reminder sound automatically. Threat actors abuse this feature by creating a malicious invitation that specifies a path to a server under the adversary's control in the PidLidReminderFileParameter property. Once the target machine has connected to the malicious server, the threat actor can steal the user's NTLM hash and username.
NTLM (New Technology LAN Manager) is a Microsoft security protocol used to authenticate users without inputting passwords. After the user has input their username and password once, the password will be hashed and stored in a database on the server or domain controller. These passwords are not salted, making them password equivalent. If a threat actor can get the NTLM hash, they can use it to gain unauthorized access to systems or data in several ways, including:
Pass-the-Hash Attack: An attacker can use the stolen NTLM hash to authenticate as the victim on other systems without knowing the user's password. Cybercriminals can use this attack to access the victim's systems and data by passing the NTLM hash.
Brute-Force Attack: An attacker can use the NTLM hash to attempt a brute-force attack to guess the victim's password. Weak passwords are more susceptible to a brute-force attack.
Rainbow-Table Attack: An attacker uses a rainbow table to crack hashed passwords quickly. A rainbow table stores a list of passwords and their hash values. This table is used to determine what password produces a specific hash.
If the victim has local admin privileges, the attacker will also gain local admin privileges.
Mitigating CVE-2023-23397
Microsoft has provided some mitigation guidelines on their MSRC page: CVE-2023-23397 - Security Update Guide. These guidelines include the following:
- Add users to the Protected Users Security Group, preventing the use of NTLM as a method of authentication.
- Block TDP 445, SMB, outbound from your network using a perimeter firewall, local firewall, and VPN settings to prevent NTLM messages from being sent to remote file shares.
- Update to the most recent Microsoft patches as soon as possible.
While Microsoft has released a patch for this specific vulnerability, threat actors continue searching for and finding new ways to exploit software needed for business. It is only a matter of time before the next vulnerability is discovered and exploited. The ThreatLocker endpoint security platform can help protect your organization from the exploitation of this Microsoft Outlook vulnerability while your IT team works to test and apply the latest patch, while helping you proactively protect your organization from potential future exploits.
ThreatLocker Ringfencing™ places boundaries around permitted applications, controlling what they can do once running. By limiting what software can do, ThreatLocker reduces the likelihood an exploit is successful. ThreatLocker also reduces the ability of an attacker to weaponize powerful legitimate tools such as PowerShell and RunDLL. In this exploit, svchost was used to initiate the SMB connection. ThreatLocker Ringfencing™ can block any application's ability to interact with svchost. Ringfencing™ can also block an application's ability to connect over SMB port 445.
For CVE-2023-23397, ThreatLocker can be used to mitigate this vulnerability. ThreatLocker Ringfencing™ can be applied to the MS Outlook application to block its interaction with internet port 445. Once the malicious calendar invitation is sent to a victim computer using ThreatLocker Ringfencing™ set to block the interaction between MS Outlook and port 445, Outlook cannot reach out to the adversary's server when attempting to follow the path specified in the PidLidReminderFileParameter, preventing the attempted exploit.
ThreatLocker’s suite of security tools implements a zero trust security posture in any organization. Schedule a call today to see how ThreatLocker’s Allowlisting, Ringfencing™, Elevation Control, Storage Control, and Network Access Control (NAC) can protect your organization from known and unknown threats.
