May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability
March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.
March 23, 2023 update: See Releases for Microsoft Products below for clarification on product changes and defense in depth update availability.
Summary
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft to an untrusted network, such as the Internet. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.
Impacted Products
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
Technical Details
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required.
The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. To protect against known bypasses, please refer to CVE-2023-29324.
Fix
Please refer to CVE-2023-23397 Outlook updates to address this vulnerability, read FAQs, and additional mitigation details.
To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication.
The Outlook update addresses the vulnerability by only using the path to play a sound when from a local, intranet or trusted network source.
Impact Assessment
To help you determine if your organization was targeted or compromised by threat actors exploiting this vulnerability, Microsoft Incident Response has published a guide for investigating attacks that use CVE-2023-23397 at Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.
Releases for Microsoft Products
The following table summarizes the releases for Microsoft products and what they provide:
Goal | Action | Outcome |
---|---|---|
Fix Outlook for Windows vulnerability | Update Outlook for Windows. | Outlook for Windows stops using the path contained in PidLidReminderFileParameter message property, if path points outside of trusted network. |
Determine if your organization was targeted by actors attempting to use this vulnerability | To check if malicious messages are present and mailbox is on Exchange Server or Exchange Online, run the https://aka.ms/CVE-2023-23397ScriptDoc script to search for such messages. | Tasks, email messages and calendar items that have PidLidReminderFileParameter present are in the script output. Messages found can be modified if desired. |
Defense in depth for new messages sent or received. | Update Exchange Server to March 2023 SU. Exchange Online users are already protected. |
Exchange Server (with March 2023 SU) and Exchange Online drop the PidLidReminderFileParameter message property at TNEF conversion when new message is sent or received. |
Fix Windows MSHTML Platform Security Feature Bypass Vulnerability | Apply May 9, 2023 security update. Please refer to CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability | Microsoft Windows addressed a reported bypass of CVE-2023-23397 |
Acknowledgement
The Microsoft Incident Response team and Microsoft Threat Intelligence community appreciate the opportunity to investigate the findings reported by CERT-UA.
Through joint efforts, Microsoft is aware of limited targeted attacks using this vulnerability and initiated communication with the affected customers. Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe. We appreciate Akamai responsibly disclosing the issues addressed in CVE-2023-29324 which gave us the opportunity to investigate and address the issues raised.
We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD).
References
-
Visit the Security Update Guide for information about CVE-2023-23397 and CVE-2023-29324
-
For more information, review the Exchange Team Blog
-
Questions? Open a support case through the Azure Portal at aka.ms/azsupt