On March 14th, 2023, Microsoft released patches for approximately 80 newly found security vulnerabilities. There were two zero-day attacks among these vulnerabilities, CVE-2023-23397 and CVE-2023-24880.
These two attacks were evaluated as severe using the Common Vulnerability Scoring System (CVSS), with ratings of 9.8 and 5.1, respectively. In addition to the security updates, Microsoft has issued a detailed advisory for CVE-2023-23397, which outlines the problem in depth.
Microsoft Outlook contains an Elevation of Privilege (EoP) vulnerability that can have serious consequences. When an attacker delivers a message to the victim with an extended Message Application Program Interface (MAPI) attribute containing a Universal Naming Convention (UNC) path, the vulnerability occurs. When the victim gets the malicious message, the UNC route directs them to a Server Message Block (SMB) (TCP 445) share located on a server controlled by the attacker, causing the vulnerability to be exploited.
Working of CVE-2023-23397
CVE-2023-23397 derives its capability from a network-based attack vector. It all starts with a specially crafted email that contains a malicious calendar or meeting invitation. A customized notification sound is introduced, which replaces the default WAV file with a path to an SMB share controlled by the attacker. Accessing the Universal Naming Convention (UNC) path requires the victim to provide an NTLM authentication to the attacker. The attacker can next attempt to retrieve or replay the disclosed NTLM hashes.
To carry out this attack, the infected email requires no user interaction. When an email arrives in a user’s inbox, both the email and the exploit are automatically activated. Financial data, sensitive consumer information, employee data, and other sensitive information could all be lost as a result of an attack. This is a serious danger to any susceptible business and necessitates rapid action to reduce exploitable exposure to CVE-2023-23397.
A malicious calendar appointment invitation can be crafted with two additional Message Application Program Interface (MAPI) properties,
PidLidReminderFileParameter is a string value that specifies the filename for a WAV or audio file that will be played as the tone and reminder notice sound when a meeting or event has passed. Set as a remote resource through a UNC path, the target may connect to this place and trigger NTLM authentication, revealing sensitive hashes for a user’s credential.
PidLidReminderOverride is a boolean variable that simply makes the provided file parameter mandatory. When set to true, the actor can verify that this file is used.
Although NTLM authentication is considered risky, it is still used on newer systems to ensure compatibility with older ones. In this example, authentication is conducted using password hashes obtained from a client while visiting a shared resource. CVE-2023-23397 allows hackers to obtain hashes, which are subsequently used to successfully authenticate to the network of interest.
Several services directly use the NTLMv2 hash for authentication. In order to acquire access to hosts or services, attackers may attempt an NTLM relay attack. With the hash, attackers can directly authenticate to Windows hosts in various scenarios. This can lead to full domain compromise, especially if NTLMv2 hashes for administrative users are exposed. In certain NTLM relaying settings, it is not commonplace for attackers to traverse the domain and raise privileges when a single user’s hash is exposed.
The vulnerability affects several versions of Microsoft Outlook, including 32- and 64-bit variants. Specifically, as shown below:
- Microsoft Outlook 2016 (64-bit edition)
- Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
- Microsoft Outlook 2013 RT Service Pack 1
- Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Outlook 2016 (32-bit edition)
- Microsoft Office LTSC 2021 for 32-bit editions
Use the PowerShell script below, which Microsoft just provided, to check the impacted Exchange servers for any potential indicators of attack, such as fraudulent e-mail messages that exploit this vulnerability:
According to Microsoft, the script’s Audit Mode determines whether items in Exchange, such as mail, tasks, or calendar appointments, have a property designated as a Universal Naming Convention (UNC) path. “host-nameshare-namefile path,” for example.
The PowerShell script also has a Cleaning Mode that deletes any messages with suspicious UNC properties.
Detection from SOC Perspective
The detection logic is designed to identify any attempts to exploit CVE-2023-23397, a critical vulnerability in Microsoft Outlook that allows an attacker to remotely execute arbitrary code on a victim’s system. To detect this exploit attempt, the SOC has implemented a set of rules based on the behavior exhibited by Outlook when attempting to connect to a WebDAV or SMB share.
Specifically, the detection logic monitors the Windows security event logs for Event IDs 4656 and 4663, which are triggered when a user or process attempts to access an object in the security log. It then filters the events to only include those generated by the Outlook process (identified by the process name ending with “\OUTLOOK.EXE”) and checks if the object being accessed matches certain criteria.
The criteria for the object being accessed include whether it contains the registry keys “\REGISTRY\MACHINE\SYSTEM” or “Services”, and whether it ends with either “\WebClient\NetworkProvider” or “\LanmanWorkstation\NetworkProvider”. If these conditions are met, the detection logic flags the event as a potential exploitation attempt.
To reduce the likelihood of false positives, the detection logic also checks if the AccessList field in the event contains the string “%%4416”, which is a SID (security identifier) associated with the “SeSecurityPrivilege” privilege. This privilege is required to read or modify the security log, so if the AccessList field does not contain this SID, the event is likely to be a false positive and is filtered out.
By monitoring for these specific events and filtering out false positives, the SOC can detect and respond to any attempts to exploit CVE-2023-23397, helping to protect their network and prevent any potential damage from the exploit.
- According to Microsoft’s security advice, adding users to the Protected Users Security Group prevents the use of NTLM as an authentication technique; however, this may produce unintended consequences with other programs and is only suggested as a temporary solution.
- You can also block TCP 445/SMB outbound traffic from the edge of your network or local firewalls, preventing NTLM authentication from reaching external file shares.
- It is also recommended to timely patch CVE-2023-23397 and apply Microsoft’s script to verify that messages in Exchange use a UNC path and make sure there are no traces of vulnerability exploitation.