TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | EducationTARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | UkraineTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | 10.0.0.0 | 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 | 2915b3f8b703eb744fc54c81f4a9c67fCVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2024-21893 | CVE-2017-11882 | CVE-2021-44228TECHNIQUES -> T1082 | T1083 | T1140 | T1486 | T1105TACTICS -> TA505 | TA0011 | TA0007 | TA577 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Lockbit | Qakbot | Mirai | DarkgateSOURCES -> Darkreading | Bleepingcomputer | The Hacker News | The Cyber Express | Infosecurity Magazine
Microsoft-Outlook-0-day

Microsoft Outlook Zero Day Vulnerability CVE-2023-23397 Actively Exploited In The Wild

Cyble Research & Intelligence Labs analyzes a Microsoft Outlook Zero-day vulnerability being actively exploited in the wild.
Odin ad

Critical Privilege Elevation vulnerability patched by Microsoft

 

Introduction

 

Microsoft has recently issued patches for around 80 newly discovered security vulnerabilities on March 14th, 2023. Among these vulnerabilities were two zero-day exploits, namely CVE-2023-23397 and CVE-2023-24880. The severity of these two exploits was rated using the Common Vulnerability Scoring System (CVSS), with scores of 9.8 and 5.1, respectively. In addition to the security patches, Microsoft has published a detailed advisory for CVE-2023-23397, which provides details of the vulnerability.

An Elevation Of Privilege (EoP) vulnerability exists in Microsoft Outlook, which can have serious consequences. The vulnerability occurs when an attacker sends a message to the victim with an extended Message Application Program Interface (MAPI) property that contains a Universal Naming Convention (UNC) path. When the victim receives the malicious message, the UNC path directs them to a Server Message Block (SMB) (TCP 445) share hosted on a server controlled by the attacker, triggering the vulnerability.

This critical vulnerability does not require any action from the user. When the victim connects to the attacker’s SMB server, the user’s New Technology LAN Manager (NTLM) negotiation message is sent automatically, which the attacker can use for authentication against other systems that support NTLM authentication. However, online services such as Microsoft 365 are not susceptible to this attack since they do not support NTLM authentication.

New Technology LAN Manager (NTLM)

 

Microsoft uses New Technology LAN Manager (NTLM) hashes for authentication purposes. When a system attempts to access a service within the network, it sends an NTLM hash to the domain controller. The domain controller verifies the validity of the hash, and if it is valid, the requested service is provided to the system. This process is known as Single Sign-On (SSO). However, if TAs can obtain the NTLM hash, they can use it to move within the infected network laterally.

Messaging Application Program Interface (MAPI)

 

MAPI is an extensive set of functions that developers can use to create mail-enable applications. The MAPI enables complete control over the messaging system on the client’s computer, the creation and management of messages, the management of the client mailbox, service providers, and so on.

Universal Naming Convention (UNC)

 

It is a naming system used in Microsoft Windows Operating Systems to identify and locate network resources such as files, folders, printers, and shared resources. UNC paths consist of a double backslash (\) followed by the name or IP address of the computer hosting the resource.

Affected Versions

 

The recently discovered vulnerability CVE-2023-23397 affects all currently supported versions of Microsoft Outlook for Windows but not Outlook for Android, iOS, or macOS. To prevent potential attacks, Microsoft recommends that users patch their systems immediately.

Alternatively, if patching is not immediately possible, Microsoft suggests adding users to the Protected Users group in Active Directory and blocking outbound SMB traffic on TCP port 445. These measures may help to limit the impact of the CVE-2023-23397 vulnerability.

Vulnerability Actively Exploited

 

The Computer Emergency Response Team for Ukraine (CERT-UA) has reported this zero-day vulnerability to Microsoft. According to Microsoft, cybercriminals linked to Russian intelligence services have actively exploited this vulnerability. The Threat Actors (TAs) have been using this exploit to target government, military, energy, and transportation organizations in the past year.

Remediation

 

Microsoft has provided a PowerShell script as a solution to the issue at hand. The script is designed to scan emails, calendar entries, and task items and to verify if they have the “PidLidReminderFileParameter” property. By running the script, administrators can locate problematic items that have this property and subsequently remove them or delete them permanently.

Figure 1 PowerShell Script Removes PidLidReminderFileParameter Property
Figure 1 – PowerShell Script Removes PidLidReminderFileParameter Property

 

A security researcher has developed a Python script that scans emails to identify the presence of the “task.file.msg_data.reminderFileParameter” parameter, which is used to exploit this vulnerability.

Figure 2 Python Script to Identify ReminderFileParameter
Figure 2 – Python Script to Identify ReminderFileParameter

 

Vulnerability Details

 

The TA can exploit the CVE-2023-23397 vulnerability by sending a specially crafted email using extended MAPI property containing the UNC path of an attacker-controlled SMB share. When the outlook client receives the malicious message, it tries to authenticate to the attacker-controlled SMB server with the victim’s NTLM hash. The TA acquires the target’s NTLM hash, which could then be used for lateral movement across the network by the TA.

The property “PidLidReminderFileParameter” is used to specify the audio file name that should be played by an Outlook client when a reminder becomes overdue for a specific object, as per Microsoft. As this property can accept a filename, it is possible that the filename could be a UNC path causing NTLM authentication to be triggered.

Figure 3 PidLidReminderFileParameter
Figure 3 – PidLidReminderFileParameter

 

The POC created by MdSec is illustrated in the figure below, demonstrating that the “PidLidReminderFileParameter” attribute is being set with a UNC path. MdSec has mentioned that opening the email will immediately trigger NTLM authentication to an IP address, regardless of whether the user has selected the option to load remote images or not.

Figure 4 Proof of Concept
Figure 4 – Proof of Concept (source: mdsec)

 

Conclusion

 

The CVE-2023-23397 vulnerability is extremely severe and has already been exploited by Russian threat actors in past attacks. What makes it particularly concerning is that it can be exploited without requiring any action from the targeted user. Based on the information available about the attacks, it is likely that we will see more incidents in the future. Other TAs may also attempt to exploit this vulnerability in order to target their victims.

Our Recommendations

 

  • To prevent attacks by exploiting CVE-2023-23397, we strongly recommended that users either apply the available patch immediately or add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445) as a temporary measure. By taking these steps, the impact of the vulnerability can be minimized, and the risk of successful attacks can be greatly reduced.
  • Microsoft has made available documentation and a script to help organizations determine whether they have been targeted by TAs attempting to exploit the CVE-2023-23397 vulnerability. This can be a useful resource for organizations to assess whether they have been impacted by any attacks exploiting this vulnerability and take appropriate action to mitigate the impact if necessary.

Share the Post:

Related Posts

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top