Overview
Microsoft has discovered a vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.
Microsoft has assigned the code CVE-2023-23397 to this vulnerability. The company gave it an unusually high CVSS score of 9.8, with CVSS being the evaluation score for the severity level.
Vulnerability Details
Outlook has a ‘Reminder’ feature which alerts users of schedules on their calendar. The following alert is also displayed when the schedule period has elapsed.
Figure 1. Outlook Reminder feature
The PidLidReminderFileParameter property of MAPI is used to designate the path for the sound file (UAC) that is played by the client when giving a reminder alert for a scheduled period that has passed.
Also, the PidLidReminderOverride property is what determines whether the above PidLidReminderFileParameter value is trustworthy or not.
If a threat actor uses the PidLidReminderFileParameter value within an email to send a message with the PidLidReminderOverride value set as true to a controllable SMB server, then the recipient will become vulnerable without any interaction.
Figure 2. A portion of the PoC code that creates the malicious msg
When a user receives a maliciously created email like the one above, the user is forced to authenticate with the SMB server controlled by the threat actor and where the sound file is also located. In the end, the NTLM hash can be stolen through an NTLM negotiation request.
Impact of Vulnerability
All Microsoft Outlook versions for Windows before the regular MS security update in March.
※ Other versions of Microsoft Outlook such as Outlook for Android, iOS, and Mac, as well as the web-based Outlook and other M365 services are not affected.
Mitigating Vulnerability
- Add user to the Protected Users Security Group to prevent NTLM from being used as an authentication mechanism.
※ The above measure may affect applications that require NTLM. - Block outbound TCP 445/SMB from the network.
For more detailed mitigation methods, please refer to the MSRC Mitigations category.
Scan Method
On March 15, Microsoft released a script to check for messaging items (emails, schedules, and tasks) that exploit the CVE-2023-23397 vulnerability within an Exchange environment.
Companies that use Outlook can use the provided CVE-2023-23397.ps1 script to check whether an attack that exploited this vulnerability had occurred.
The following are the conditions for this script to run.
Exchange Server (on-premises)
Execute the following PowerShell command in EMS (Exchange Management Shell)
New-ThrottlingPolicy “CVE-2023-23397-Script”
Set-ThrottlingPolicy “CVE-2023-23397-Script” -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity “<UserWhoRunsTheScript>” -ThrottlingPolicy “CVE-2023-23397-Script”
Exchange Online
Run with global or application administrator privileges
How to Use
The script supports 2 scan methods.
Audit Mode : The script provides a CSV file that includes the details of entries with filled properties
Exchange Server (on-premises)
Get-Mailbox -ResultSize Unlimited | .CVE-2023-23397.ps1 -Environment Onprem
Exchange Online
Get-Mailbox -ResultSize Unlimited | .CVE-2023-23397.ps1 -Environment “Online”
Cleanup Mode : The script removes properties or deletes entries to sort detected items
Exchange Server (on-premises)
.CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>
Exchange Online
.CVE-2023-23397.ps1 -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>
For more details on the scanning process, please refer to the CSS Exchange homepage.
[File Detection]
Trojan/Msg.Agent (2023.03.17.00)
Exploit/BIN.Agent (2023.03.18.01)
Exploit/MSG.CVE-2023-23397 (2023.03.19.01)
Exploit/BIN.CVE-2023-23397 (2023.03.19.01 )
[IOC]
03a81e52235b2b5ffb182f437941e3605218c52fd14b55c208b07065d770a8ef
078b5023cae7bd784a84ec4ee8df305ee7825025265bf2ddc1f5238c3e432f5f
07dd965b6f78dd3cf52542a9386f3421ec6b56c1eb5a8f139a7a67133390f595
0cdf5501352ba4de05b35e5dd394b3d1529b36a658952389c959c44cf8872882
0db4e30fb89fa2a97af589d1db4e6e049f121424281f1550db1acca48a8ee479
0eca265b0c7352353bd56837fdc2c2b6222f7cc2656c395dc28431c4b38576f9
1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8
24d3449a950b72a1cb6a4aa7d0f05a77f990de99ffebaef2da8bea30a7437bc6
2986a00ce732edcd607f34f1c0fd37c3dfd4a249554d49c98fbc8a76368bcd09
3f5db4a2387646ac3ec64b8476579f389f74c30ff483cfe51fb4ff1cc9cb4dda
47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3
562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444
582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf
626a1ac262c3f094f1bcf54de5af7c5b9693f9bf7af39d0af4928438af58a534
6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909
770d642cd74678ec3880c6d88d1144bf009f9265bfe464cadc8034c0f6eaed67
7a029dcbf7c69edc3d234596f669b20b1fd45b20f310668314117403187d9ebb
7d94c1946abe60549dd724309257095f96d4a41784e22e7fdd2821048e666151
7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad
8ccc1c2bc251b7ebbe8ad001e9e9093bc29ebe8652c43b2f3cfc74bb53b10554
a034427fd8524fd62380c881c30b9ab483535974ddd567556692cffc206809d1
b33a0eb265d4679a429e9551b76e3ffbd5c4dca39ec50a6af1cda7c49fd14771
cb8d3cce6f2722947ffa6cf195e5b93de39bfd79682f28377bd71a5b996b955b
d440ae7072df94458a9da84ea3f91b03df4693f328066a80d18fead2c3125a16
d4ef1b6b08a175a5401ff7e9c1837c78d327a056f480ae8b3553ef88d4965d47
d544d82998bf9955610fe2b2163913c4ea4e6b51ef44e38fbe3f22d835ce58e5
eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa
f46301802feb133b3a036cd020c982bdce7edc63dc6718e42e2756265dee01a7
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/50218/