CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

Recent assessments:

cbeek-r7 at March 15, 2023 8:17am UTC reported:

Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.

By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.

Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.

CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397

tacotuesday at March 21, 2023 5:38pm UTC reported:

Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.

By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.

Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.

CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5