A critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that enables remote password hash theft by just receiving an email has been disclosed by security experts.
Microsoft issued a solution for the security vulnerability on Tuesday. All Windows versions of Microsoft Outlook are impacted by the 9.8 severity-rated privilege escalation vulnerability.
Via the use of a simple phishing email, an attacker can utilize it to steal NTLM credentials from the target. There is no requirement for user interaction as this exploitation occurs when Outlook is open and the reminder is triggered on the system.
Using hashed login credentials, Windows New technology LAN Manager (NTLM) is a form of authentication for Windows domains.
Despite the recognized concerns, NTLM authentication is nevertheless employed on new systems to maintain compatibility with legacy systems.
It operates using password hashes that a client sends to a server when attempting to access a shared resource, such SMB shares. These hashes can be used to authenticate on the network if they are stolen.
Microsoft explained that delivering “a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server” will allow an attacker to leverage CVE-2023-23397 to collect NTLM hashes.
“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication” – Microsoft
What You Should Do
This is a critical Microsoft Outlook vulnerability, and we recommend immediate action.
Microsoft provides a script CVE-2023-23397.ps1 that will check on-prem and Online mailboxes for all instances of the PidLidReminderFileParameter property. When completed, a CSV will be created if any were found. In the PidLidReminderFileParameter column, you will want to look for anything that may point externally. You may see reminder.wav type entries and those will be ok. You don’t want to see anything going to host.domain.com or an IP address. If any are found, keep those in a CSV and run the script again instructing it to clean.
It is strongly advised for administrators to prioritize fixing CVE-2023-23397 and to utilize Microsoft’s script to look for indications of exploitation by confirming whether messaging objects in Exchange have a UNC path.
Because they don’t support NTLM authentication, online services like Microsoft 365 are not exposed to this vulnerability.
Mirazon will be glad to assist in any way necessary to help keep your business and IT environment protected through the use of Layered Security Strategy. Reach out to us if you’d like to learn more by using the information below!
If you’d like assistance dealing with this critical Microsoft Outlook vulnerability, please contact us and call (502) 240-0404 or email us at firstname.lastname@example.org.
Mirazon is a company of trusted IT advisors for organizations large and small. Founded in 2000 in Louisville, Kentucky, Mirazon focused on providing world-class technology consulting to local businesses. Decades later, we specialize in Microsoft, Wi-Fi, networking, cloud computing, and desktop support. While we hang our hats in Louisville, we travel the world to serve our clients from small, local businesses all the way up to Fortune 500 companies.