Microsoft Outlook Vulnerability Could Be 2023s It Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Outlook Vulnerability Could Be 2023s It Bug


Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means that almost any business user could be a victim.



Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victims Net-NTLMv2 challenge-response authentication hash and impersonating the user.
Now its becoming clear that 
CVE-2023-23397
 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago,
more proof-of-concept (PoC) exploits
have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.
If patching isnt possible quickly, there are some options for addressing the issue, noted below.
The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when theyre retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.
Discovered by researchers from Ukraines Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsofts Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.
External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers control, says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.
Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didnt mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.
The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim, he says.
Bud Broomhead, CEO at Viakoo, notes that the likely victims are ones most susceptible to business email compromise (BEC) and to having their identity used for other forms of exploits. He points out there are a few areas that this potentially impacts, the most serious being identity management and trust of internal email communications.
The risks also include breaching of core IT systems, distribution of malware, business email compromise for financial gain, and disruption of business operations and business continuity, Broomhead cautions.
Viakoos Broomhead says that while at this point in 2023 there could be many possible It bugs coming from Microsoft, this is certainly a contender.
Because it impacts organizations of all types and sizes, has disruptive methods of mitigation, and training employees on it won’t stop it, this could be a vulnerability that requires more significant effort to mitigate and remediate, he explains.
He notes the attack surface is at least as big as the user base of desktop Outlook (massive), and potentially core IT systems connected to Windows 365 (very massive), and even any recipients of emails sent through Outlook (pretty much everyone).
Then as mentioned, the PoCs that are circulating makes the situation even more attractive to cybercriminals.
Since the vulnerability is public and instructions for a proof-of-concept are well documented now, other threat actors may adopt the vulnerability in malware campaigns and target a more widespread audience, adds Daniel Hofmann, CEO of Hornetsecurity. Overall, exploiting the vulnerability is simple, and public proofs-of-concept can already be found on GitHub and other open forums.
What should businesses do? They may have to look beyond patching, Broomhead warns: Mitigation in this case is difficult, as it causes disruption in how emails systems and users within it are configured.
For those unable to patch right away, Hornetsecuritys Hofmann says that to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings.
This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397, he explains.
Organizations should also add users to the Protected Users Security Group in
Active Directory
to prevent NTLM as an authentication mechanism.
This approach simplifies troubleshooting compared to other methods of disabling NTLM, Broomhead says. It is particularly useful for high-value accounts, such as domain administrators.
He points out
Microsoft has provided a script
to identify and clean up or remove Exchange messages with UNC paths in message properties, and it advises administrators to apply the script to determine if they have been affected by the vulnerability and to remediate it.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Outlook Vulnerability Could Be 2023s It Bug