Microsoft Outlook Exploit: attackers only need to know an email address

22. March, 2023

The Microsoft Outlook vulnerability CVE-2023-23397 (Microsoft Outlook Elevation of Privilege Vulnerability) can be used against any victim at any time with only the knowledge of a simple e-mail address. All Outlook versions for Windows are affected, security updates for Outlook 2013 to Office 365 have been delivered on patch tuesday on March 14, 2023. [1] So far only sighted in targeted attacks in the wild, we can expect increasing numbers of attacks after the publication of the vulnerability.

Details on the exploitation of the vulnerability and proof of concept freely available

CVE-2023-23397 allows for NTLM identity theft by just sending an e-mail that contains an extended MAPI property with a UNC path to an SMB (TCP 445) share to a server controlled by the attackers. Security researchers have reconstructed, that the exploit uses the “PidLidReminderFileParameter” that defines the reminder tone that Outlook plays when the entry is due. If this is located on an external server, it can request the authentication of the client and thus obtain the NTLM hash of the user from Outlook. [2]

The attack does not require any user interaction. Receiving a manipulated email alone is sufficient to start the damage routine––the email does not have to be opened or previewed. Attackers can use the stolen Net-NTLMv2 hashes for an NTLM relay attack against another service to identify as a user.

Security updates and workarounds released for quick fixes

To close the exploit, it is required to install the Outlook security update––regardless of where the email are hosted or if NTML authentication is supported. Additionally, Microsoft names two possible workarounds.

The “Protected Users” security group in Active Directory prevents the use of NTLM as an authentication mechanism and thus attacks on the users in this group. This measure promises a very quick remedy, but it can cause problems for users outside the company network who can then no longer log in offline, as well as with other applications that use NTLM. One must weigh up whether or for which users these side effects should be accepted until the security updates are installed.

Another measure against CVE-2023-23397 would be blocking TCP 445/SMB with the use of a perimeter firewall, a local firewall or the VPN settings. mpany network to the Internet is also blocked. However, it is important to remember that the perimeter firewall is not effective outside the company and in the home office and can therefore only ever be one component of the defence strategy.

Find and clean up potentially dangerous Outlook items

As soon as the vulnerability is closed, it is advisable to check if the own systems have already been compromised. Microsoft provides a script that can be executed directly on the exchange server and that checks exchange items like emails, calendar items ans tasks.

In audit mode, the script creates a CSV file with all elements with a set PidLidReminderFile parameter, which––depending on the parameter––can indicate that an attack has occurred. It is necessary to check this list manually. [3] In cleanup mode, the script can be used to clean up or permanently delete the manually selected items.