It’s been a quarter now, but this critical Outlook vulnerability is still one of the hot topics in the security world. Upon public this flaw, there were many security firms, researchers, and threat hunters working on this Outlook vulnerability. Your guess is correct. We are talking about the Critical Microsoft Outlook vulnerability which is being tracked under the CVE ID- CVE-2023-23397. A vulnerability that could be easily exploitable by sending an Outlook message or calendar. Although it has been several weeks now, we still urge all Outlook users to secure your Outlook from CVE-2023-23397; successful exploitation of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.
Let’s understand some technical details about the CVE-2023-23397 vulnerability like, what is CVE-2023-23397, how it works, what are the implications, and how to secure your Outlook from CVE-2023-23397, a critical Elevation of Privilege vulnerability in Outlook. Let’s begin the technical post by learning about the NTLM Relay and Pass the Hash Attacks.
What is NTLM Relay and Pass the Hash Attacks?
NTLM or NT LAN Manager is an authentication protocol developed by Microsoft that is used to authenticate users in Windows networks. It is based on a challenge-response mechanism in which the client must provide its credentials (username and password hash) to the server to authenticate and gain access to network resources.
Now coming to your actual question, NTLM relay attacks exploit flaws in the NTLM protocol to allow an attacker to authenticate as the user without having their password. In this attack, the attacker tricks the victim into attempting authentication with a machine they control. The attacker then relays the victim’s authentication attempt to access services impersonating the victim. For example, the attacker may relay the victim’s credentials to authenticate to a file share and gain access to sensitive documents.
Pass-the-hash is related to the NTLM relay and takes advantage of the fact that NTLM uses password hashes for authentication. In pass-the-hash, the attacker obtains the password hash of a user, typically through credential dumping. They can then authenticate as that user by presenting the password hash to servers instead of the actual password. This allows the attacker access to systems by just having the hash without cracking the passwords. They can relay the hash to other systems and impersonate the victim.
Defenses against these attacks include blocking NTLM outbound from critical servers, enabling SMB signing, using Kerberos authentication rather than NTLM where possible, and implementing multifactor authentication. Monitoring for unusual account activity can also help detect attacks in progress. Implementing pass-the-hash mitigations like not storing password hashes over the network also helps secure against this technique.
Now let’s jump into the actual topic.
What is CVE-2023-23397?
CVE-2023-23397 is a critical elevation of privilege vulnerability that was disclosed in Microsoft Outlook on Windows in March 2023. It has a CVSS severity score of 9.8 out of 10, making it an extremely critical flaw.
This vulnerability allows an attacker to easily steal NTLMv2 password hashes from Windows devices running Outlook. It is triggered when the attacker sends a specially crafted message containing the PidLidReminderFileParameter extended MAPI property. This property can be set to a UNC file path pointing to an SMB share under the attacker’s control.
When the Outlook reminder for the malicious message is triggered, Outlook will automatically attempt to access the SMB share specified in order to play the “reminder sound” file. This results in Outlook sending the victim’s NTLMv2 password hash to the attacker’s server. The attacker can then crack the hash offline to reveal the password or directly use the hash for lateral movement in relay attacks against other systems supporting NTLMv2 authentication.
The most dangerous aspects of this vulnerability are that no user interaction is required for exploitation, it affects all Windows Outlook versions, and it provides simple automated exploitation allowing large-scale attacks. Given that possession of hashes provides access to systems as if the attacker was the valid user, this vulnerability enables massive identity and data theft. Microsoft rated the exploitability as “Exploitation More Likely” due to the ease of exploiting it without user interaction.
CVE-2023-23397 is an extremely critical Outlook vulnerability allowing large-scale theft of password hashes and unauthorized access to enterprise resources. Its ease of automated exploitation without user interaction makes it a dangerous vulnerability that enterprises need to patch immediately.
How the Vulnerability CVE-2023-23397 Could be Exploited?
CVE-2023-23397 is an extremely critical vulnerability in Microsoft Outlook that allows attackers to easily steal NTLMv2 password hashes. This vulnerability can be exploited by sending specially crafted messages to Outlook users containing a malicious Extended MAPI property called PidLidReminderFileParameter.
To exploit this, an attacker first sets up an SMB server under their control that will receive any leaked hashes. The attacker then creates an Outlook message, task, or calendar event that contains the PidLidReminderFileParameter property. This property is set to a UNC file path pointing to the attacker’s SMB server.
Setting up Outlook Client to play a custom sound when a reminder is triggered on Windows (Source: Microsoft)
When the Outlook reminder for this malicious item gets triggered, Outlook will attempt to access the SMB share specified in order to play a “reminder sound” file. This results in Outlook automatically sending the victim’s NTLMv2 hash to the attacker’s server in an authentication attempt.
No user interaction or privileges are required for this exploit to work. The victim simply needs to receive the boobytrapped message in their Outlook inbox. As soon as the reminder gets triggered, their hash will be leaked.
This vulnerability affects all versions of Outlook on Windows. Once the attacker captures the hash, they have numerous options available such as cracking the hash offline to reveal the password, reusing the hash for lateral movement, or accessing the victim’s Outlook data.
Some potential post-exploitation attacks include:
- Accessing the victim’s sensitive emails and documents stored in Outlook
- Pivoting to remote access services like VPNs or RDP using the credentials
- Moving laterally across the organization by reusing the hash against NTLM authenticated resources
- Cracking the hash offline to log into internet-facing systems using the revealed password
- Dumping credentials from the compromised host for escalated access
The ease of exploitation, the lack of user interaction required, and the powerful post-compromise capabilities make this vulnerability extremely dangerous. Attackers could abuse it to harvest password hashes on a massive scale and gain extensive unauthorized access. Enterprises need to urgently apply patches and mitigate the risks from this critical flaw.
Does this Vulnerability leverages the Transport Neutral Encapsulation Format (TNEF)?
Yes, this vulnerability leverages the Transport Neutral Encapsulation Format (TNEF) used by Outlook and Exchange.
TNEF is a Microsoft technology that allows formatted message content, attachments, and other Outlook-specific features like meeting requests to be transmitted in a standard format. TNEF messages contain both a plaintext version and an attachment that encodes the formatted content. This attachment is typically named Winmail.dat.
The TNEF attachment contains extended MAPI properties like PidLidReminderFileParameter that attackers exploit in CVE-2023-23397. When an Outlook client receives a TNEF message, it parses this attachment to recreate the full formatted message with any MAPI properties.
So in this exploit, the attacker sets the malicious PidLidReminderFileParameter value in the TNEF attachment. You can view extended MAPI properties associated with an object using a tool called MFCMAPI. When Outlook processes this on the recipient’s end, the boobytrapped extended property triggers the vulnerability allowing theft of the NTLM hash.
Screenshot of MFCMAPI showing the value of extended MAPI Properties (Source: Microsoft)
By leveraging TNEF, attackers can reliably deliver the malicious MAPI property while also transmitting a plaintext body that appears innocuous and benign to the user. This helps conceal the exploit activity from both recipients and security tools.
A Note About WebDAV
In investigating CVE-2023-23397, Microsoft includes an important note about WebDAV interactions. It states that credential leaks are not possible through WebDAV connections exploited via this vulnerability. Although threat actor infrastructure could potentially request NTLMv2 authentication over WebDAV, Windows will honor the defined internet security zones. So it will not send any NTLMv2 hashes to an external IP address when interacting via WebDAV.
This means that while an attacker’s infrastructure could exploit CVE-2023-23397 over SMB to steal hashes to an external server, the same cannot occur via WebDAV. If SMB communication is blocked, Windows will fall back to WebDAV but no hashes will be leaked externally this way. However, Securelist does caution that local exploitability via WebDAV may still be possible. For example, an attacker could potentially set up an internal WebDAV server to capture hashes from Outlook clients that have received the malicious payload.
What is the Impact of this Vulnerability?
CVE-2023-23397 has an enormous impact due to the ease of exploitation and the powerful post-compromise capabilities it provides.
As noted in the Microsoft security blog, the theft of the Net-NTLMv2 hash enables threat actors to bypass authentication and gain unauthorized access to resources. Observed post-exploitation behaviors include leveraging the stolen hash to then compromise Exchange servers via relay attacks.
Threat actors could also abuse the compromised account’s privileges to send additional malicious messages to internal and external recipients. This demonstrates the hash’s usefulness for lateral movement within the victim organization.
Exploitation of CVE-2023-23397 in action- Threat actor tries gaining unauthorized access to an Exchange Server and modifying mailbox folder permissions (Source: Microsoft)
Further concerning post-exploitation activities involved using the Exchange Web Services API to enumerate and modify permissions on the user’s mailbox folders. By granting “owner” permissions to all mailbox folders, the threat actor established additional persistence. This granted continued access even if the user’s password was reset.
Example of lateral movement in a compromised environment (Source: Microsoft)
The ability to gain such privileged persistent access and move laterally simply by obtaining the Net-NTLMv2 hash highlights the immense impact of this vulnerability. It effectively serves as a gateway for threat actors to fully compromise user identities and leverage elevated privileges for extensive data exfiltration.
How to Secure Your Outlook from CVE-2023-23397- A Critical Elevation of Privilege Vulnerability in Outlook?
Organizations can take several steps to secure Outlook from CVE-2023-23397, a critical Elevation of Privilege Vulnerability in Outlook:
- Patch Outlook clients with the security update as soon as possible. This prevents the exploit by restricting the PidLidReminderFileParameter path to local and trusted networks only.
- Review any suspicious messages, tasks, or calendar invites reported by users and analyze for signs of exploitation. Even if the initial examination doesn’t reveal anything overtly malicious, check extended MAPI properties for suspicious PidLidReminderFileParameter values pointing to untrusted networks.
- Run the Exchange scanning script provided by Microsoft to check for messages containing the PidLidReminderFileParameter property set to untrusted UNC paths. Investigate any detected paths by searching for related indicators in perimeter and endpoint logs. Delete or modify detected messages.
- Consider customizing the scanning approach for large environments by prioritizing high-value users, limiting the date range scanned, or batching across user groups.
- Inspect SMBClient event logs on endpoints for connectivity errors indicating blocked connection attempts to threat actor-controlled servers. EventIds 30800, 30803, 30806, 30804, and 31001 may reveal suspicious remote servers.
- Check endpoint processes for execution of WebClient service, making WebDAV connections to untrusted IPs. This may occur if SMB traffic is blocked and Outlook falls back to WebDAV for the exploit.
- Collect and analyze relevant Exchange Server logs like EWS, OWA, tracking, IIS, and PowerShell logs. Look for NTLM authentication anomalies and evidence of mailbox enumeration/modification. Use this tool to enable organizations to collect relevant Exchange Server logs.
- Monitor perimeter security devices for any outbound SMB connections to the internet or suspicious public IPs. Disable or tightly restrict SMB traffic where possible.
- Reset passwords for any users compromised by this exploit since the stolen hash remains valid until changed. Initiate incident response to contain and eradicate any access gained.
- Add critical accounts like administrators to the Protected Users group to enforce Kerberos and disable NTLM authentication. This prevents hash theft.
- Deploy multifactor authentication to mitigate the impact of any hash leaks by blocking replay. Note this does not prevent hashes from being captured.
- Disable unnecessary services and ports in Exchange Server to reduce the attack surface. Limit inbound SMB connections only to trusted sources.
- Update Exchange Server to enable additional mitigations like blocking transfers of messages with suspicious MAPI properties.
- Monitor Microsoft Defender for Endpoint and Microsoft Defender for Office 365 for related detections indicating exploitation attempts.
- Develop customized hunting queries to find signs of NTLM relay attacks, abnormal Exchange authentications, and outbound SMB connections in security toolsets.
- Conduct security awareness training for employees on this phishing technique to help identify exploitation attempts targeting their accounts.
In summary, securing Outlook requires promptly patching clients, hunting for signs of exploitation in messaging and server logs, restricting the attack surface like SMB and NTLM, and implementing multifactor authentication and other mitigating controls. Ongoing detection and response capabilities are critical as well.
Indicators of Compromise
Here are the key indicators of compromise (IOCs) that can be used to analyze and block attacks exploiting CVE-2023-23397.
Malicious IP Addresses:
Malicious File Hashes:
Malicious SMB Server Paths:
By blocking these indicators across email gateways, firewalls, endpoint protection systems, and logging/analytics tools, organizations can protect themselves against attacks attempting to exploit CVE-2023-23397 in the wild.
Additionally, Kaspersky shared a list of sample files submitted to VirusTotal:
- 2022-03-18 – лист.eml
- Happy Birthday..msg
These VirusTotal sample submissions provide additional sources that can be used to tune detections and block exploits of CVE-2023-23397 in security tools. The unique filenames can also be leveraged where possible to detect and block the malicious emails on email gateways. Analyzing these samples helps understand the full timeline of when this vulnerability started being exploited in the wild.
In summary, CVE-2023-23397 represents an extremely dangerous vulnerability that allows easy and reliable theft of highly privileged NTLMv2 password hashes from Outlook clients. Its wormable nature, lack of user interaction required, and powerful post-compromise impact enable large scale identity and data theft by attackers. Organizations must apply urgent mitigations like patching, hardening Outlook and Exchange configurations, enforcing multifactor authentication, and implementing robust threat hunting to detect exploitation attempts. Ongoing vigilance and response capabilities focused on this critical threat are essential. By taking a proactive security posture, companies can protect their users and business-critical assets from attacks leveraging this vulnerability.