CVE-2023-23397 is a client-side vulnerability discovered in Microsoft Outlook, that allows the attackers to remotely exploit the target’s systems that use an old NTLM (new technology LAN manager) authentication protocol. The vulnerability emerged due to a flawed authentication design, described in CWE-294 (authentication bypass by capture-replay).
It holds the critical base score of 9.8, based on the CVSS 3.1 metrics, since it can be exploited remotely and needs no user interaction whatsoever, with the only condition being that the PC of the victim is powered on.
What is NTLM
NTLM is a security protocol used for authentication in Microsoft networks. NTLM works by challenging the user's credentials to ensure that the user is who they say they are. It is often used in conjunction with Active Directory to manage user accounts and provide secure access to network resources. NTLM has been obsolete for some time now and has been substituted by Kerberos or OAuth in a majority of services, but many companies with an older infrastructure still use it, due to an outdated configuration or lack of support in some of the network components.
One of the concerning factors regarding NTLM is the lack of verification of the server's authenticity. This, combined with (in our opinion) a totally trivial feature, that is to set the reminder sound that will be played once the recipient's calendar shows the appointment notification, creates the opportunity for the vulnerability to be exploited.
The Exploit
In order to do so, an attacker needs to send an email invitation to an appointment, containing a MAPI (Message Application Program Interface) property with a UNC (Universal Naming Convention) path to his own SMB server. Once the email is sent, it gets forwarded from the victim’s mail server to Outlook on the client's PC, so when the remainder for that appointment comes up, it tries pulling the previously set reminder sound, which is, in fact, hosted on an attacker’s SMB server.
In order to do so, the client sends an NTLM authentication hash, that is generated from the user’s Windows domain credentials hashes stored in the SAM (Security Account Manager) database on the domain controller. The second concerning factor regarding NTLM is the fact that the hashes generated for authentication don’t have an expiry date, meaning that they could be reused for accessing any other service that’s still configured to use it.
Among those are Microsoft’s Active Directory, SQL Server, Exchange, Sharepoint, Remote Desktop, and many others. Considering this, the theft of these credentials can result in a large-scale security breach. Considering this, the theft of these credentials can result in a large-scale security breach.
Affected versions
According to NVD, this vulnerability impacts the following versions of Microsoft Outlook for Windows:
- 2013 SP1
- 2013 SP1 RT (for ARM-based CPUs)
- 2016
- 2019
- 2021
- 365
We can’t say with certainty, but it might be possible that some older versions are affected as well (including 2003, 2007, 2010, and 2011), since they use the same version of NTLM and also feature remainder sound customization. Other releases of Office, such as Outlook for Mac, Outlook Mobile, and Outlook Web App are not affected by this vulnerability.
Mitigation
The best thing to do would be to install a monthly security update released in March 2023, as it includes the official patch for CVE-2023-23397. If for any reason you are unable to do that, you should undertake some of the following steps:
- Add users to protected user groups - Adding a user to the Protected Users group results in their account being subject to stricter security policies and protections.
- Restrict the outbound traffic for the TCP port 445 - This will prevent all the devices on your local network from connecting to the external SMB servers.
- Reconfigure your infrastructure - If your systems support newer authentication protocols, use them instead.
If you’ve done all of the above, you should be worry-free regarding CVE-2023-23397. It would be an understatement to say that there are many more threats praying for easy targets on the network. Unlike before, the criminals of today are more often smart than not, meaning that they are capable of going long distances and performing high-level attacks and frauds.
Luckily, the fact that you’ve read our article this far means you’re probably a person who is well aware of the risks the internet brings. To stay carefree, you should subscribe to our blog, where we will leave no stone unturned!
Subscribe to be updated on the new content!