Hackers Exploiting Microsoft Outlook Privilege Escalation Flaw in The Wild

In response to the discovery of a critical vulnerability in Microsoft Outlook, CVE-2023-23397, actively exploited in the wild by the threat actors, Cisco Talos urges all Outlook users to update their email clients as soon as possible after the vulnerability has been discovered.

While Microsoft later determined that the activities resulted from Russian-based actors, and they were being used in targeted attacks against a limited number of organizations.

As a result of the exploitation of this security vulnerability, the attacks were conducted between mid-April and December 2022. During this time, threat actors targeted and breached the networks of about 15 critical organizations related to:-

• Government
• Military
• Energy
• Transportation

To steal NTLM hashes, the hackers sent malicious Outlook notes and tasks to the targeted devices to force them to authenticate to the attacker-controlled SMB that shares the hashes.

Flaw Details

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It’s a vulnerability in NTLM and could be exploited for credential theft to gain affluent access to an organization through an escalation of privilege vulnerability.

• CVE ID: CVE-2023-23397
• Released: Mar 14, 2023, Last updated: Mar 15, 2023
• Impact: Elevation of Privilege
• Summary: Microsoft Outlook Elevation of Privilege Vulnerability
• Severity: Critical
• CVSS Score: 9.8

Threat actors can create emails, calendar invites, or tasks that contain the extended MAPI property “PidLidReminderFileParameter.”

“PidLidReminderFileParameter” allows the client to specify the filename of the sound to be played when the reminder for an object becomes overdue.

This PidLidReminderFileParameter property is used by the attacker to specify a path to the SMB share controlled by the attacker via a Universal Naming Convention (UNC).

An attacker may be able to make use of the Net-NTLMv2 hash sent by a vulnerable system to constitute an NTLM Relay attack against another system. 

Mitigations

As a result, Microsoft researchers have affirmed some key mitigations that organizations must follow as a precaution to keep themselves safe from this kind of cyber attack:-

• Installing the patch, Microsoft provides as soon as possible would be ideal for addressing this vulnerability.
• To prevent the use of NTLM as a method of authentication, users must make use of the Protected Users Security Group.
• It is very important that you block port TCP/445 outbound from your network in order to prevent the NTLM messages from leaving the network.
• A script released by Microsoft provides administrators with the ability to audit their Exchange server for messaging items that have PidLidReminderFileParameters set to Universal Naming Convention (UNC) paths.
• Admins must clean up the property and remove malicious items or even permanently delete items if that is what is required with the help of this script.

Microsoft Outlook on Windows is affected by this privilege escalation vulnerability with a severity rating of 9.8, which affects all versions of the application.

By sending a malicious email to the target, an attacker can use this vulnerability to steal their NTLM credentials in a matter of seconds.

Whenever Outlook is open, the reminder will be displayed on the system, and no interaction with the user is required as the exploitation occurs automatically.

In short, it’s strongly advised by security analysts that admins must apply and check all the recommended mitigations immediately to prevent any attack effectively.

Network Security Checklist – Download Free E-Book

Related Read: