Microsoft Outlook Elevation of Privilege:
A known vulnerability

What is the vulnerability?

On March 14, 2023, Microsoft disclosed a critical security vulnerability in Microsoft Outlook. This vulnerability allows attackers to steal passwords in encrypted form without user intervention by sending compromised calendar invitations. If these passwords are weak, attackers can decrypt them and access sensitive data. All versions of Microsoft Outlook for Windows are affected. Microsoft has released an update to fix the problem. However, it is important to emphasize that this security gap could also be closed using common IT best practice configurations. These measures should be implemented in all affected systems to further increase protection and counter future threats.

Table of Contents

Offense: The attack in detail

A compromised calendar invitation that a potential attacker sends to the victim via email contains a path to a customized notification tone. The path to this notification tone is a Universal Naming Convention (UNC) path. The target is an SMB server on the Internet controlled by the attacker. In standard behavior, a Windows client tries to authenticate itself when calling a UNC path. The NetNTLMv2 hash method is used during this authentication. The Windows client sends the NetNTLMv2 hash to the attacker's SMB server. This allows the attacker to use the hash in a relay attack or to crack the hash offline (to make this process as difficult as possible for attackers see: Defense: Password management). You can find out more about this in our blog entry:

Proof of Concept (PoC)

  1. A new appointment is created and the reminder time is set to 0 minutes.

  2. Under the “Sound…..” option, the notification sound is set to the UNC path provided by the attacker

graphic-20240508-104132
Source: Outlook CVE-2023-23397: What to do? - Franky's Web
  1. The attacker enters the UNC path and sets the setting “Play this sound”
bf85ab22-ba1b-430c-98c8-e33869421dec
Source: Outlook CVE-2023-23397: What to do? - Franky's Web
  1. The appointment is sent to the victim and the reminder opens automatically

  2. The NetNTLMv2 hash is transmitted to the attacker and intercepted by him

Intercepted NetNTLMv2 hash
Intercepted NetNTLMv2 hash
  1. The attacker then cracked the exfiltrated NetNTLMv2 hash
password within 11 seconds
Cracking a weak password within 11 seconds

Externally accessible systems

If you have systems accessible on the Internet that allow authentication using NTLM, authentication can be forwarded using the proof of concept described above in order to gain access this way.

Prequesites

In order for the attacker to be able to exploit the vulnerability via the Internet, the following points are crucial:

  • Outgoing communication to the Internet is permitted via TCP port 445
  • No conditional access guidelines (in particular geo-blocking or logging from countries, for example based on the List of states within the meaning of Section 13 Paragraph 1 No. 17 SÜG)
  • Lack of multi-factor authentication

Which systems or services could be affected by this vulnerability?

All Microsoft Outlook versions for Windows are affected.

In Outlook for Windows, the user is able to store a sound file for an Outlook-specific notification tone. This is only possible in the Windows version of Outlook. Outlook for macOS, Linux and iOS/Android are not affected

Defense: Ways to prevent the attack

Installing security updates

The first step should be to patch the affected software. Microsoft has already released security updates for the respective Outlook versions. These can be found in the Microsoft Update Guide:

Microsoft Security Update Guide - CVE-2023-23397

Workarounds / Further measures

Firewall configuration

The firewall configuration should be adjusted to restrict SMB connections both incoming and outgoing. Furthermore, the VPN configuration for remote users should be checked so that the restrictions also apply if the user is not in the local network. Logging the policies creates traceability.

Perimeter firewall:

  • Blocking SMB traffic on TCP port 445 from the local network to the Internet
  • Blocking inbound traffic on TCP port 445 (if necessary, additional TCP port 135)
  • Checking the split tunneling VPN settings
  • Enable logging for created policies

Local Windows Firewall:

  • Blocking outbound traffic TCP port 445 (computer → Internet)
  • Blocking inbound traffic TCP port 445 (Internet → Computer)

When blocking local SMB traffic

The local Windows Firewall settings can be distributed in the domain via GPO. This also blocks traffic for users who work remotely and are not in the company network.

Password management

The key to success is the implementation of a complex password policy. This can be done via the “Default Password Policy” or via a “Fine Grained Password Policy”. You can find further information about this in our knowledge base article . Since computing power has continuously increased in recent years, increasing the minimum requirements for passwords, based solely on length, no longer makes sense. Here, the blacklisting of simple passwords (e.g. Summer2024!, CompanyNameYear!, NameMyMother+) should be promoted in order to make password cracking using a dictionary attack more difficult. Implementing multi-factor authentication is essential under today's computing power conditions, on the one hand to enable users to have simpler passwords, and on the other hand to protect administrative accounts more effectively, which also helps to make the attacker's job more difficult.

Configuration of conditional access policies

By adjusting the Conditional Access settings such as: B. Geo-blocking (typical countries) e.g. B. in Azure or on a firewall (Perimeter, Endpoint Protection Firewall) or a session revoke, you can most likely revoke access to the attacker. After the reaction, an extensive evaluation of the log files is now required to ensure that the attacker has not changed any settings anywhere and thus made access possible in other ways.

Configuration of IDS / IPS rules

Rules that enable detection should be implemented in an IDS system. Countermeasures can be initiated in conjunction with IPS rules. Specifically, the aim is to detect, block and report the leakage of internal hashes via SMB to the Internet. The NetNTLMv2 hash is transmitted from a computer on the local network via port 445 to an external IP address (the attacker's SMB server). This path needs to be monitored. Further information can be found in the section Indicators of Compromise.

Example rule Snort: Snort 3.0 Rule CVE-2023-23397

				
					alert file
(
  msg:"FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt";
  flowbits:isset,file.ole;
  file_data;
  content:"|1F 85 00 00|";
  content:"|1C 85 00 00|";
  content:"_|00|_|00|s|00|u|00|b|00|s|00|t|00|g|00|1|00|.|00|0|00|_|00|";
  content:"I|00|P|00|M|00|.|00|";
  content:"|00 00 00 00 5C 00 5C 00|";
  pcre:"/\x00\x00\x00\x00\x5c\x00\x5c\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}/";
  metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop;
  reference:cve,2023-23397;
  reference:url,msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/;
  classtype:attempted-user;
  gid:1; sid:300464;
  rev:1;
)
				
			

Protected Users security group

Users can be added to the Protected Users security group in ActiveDirectory. This prevents the use of NTLM as an authentication mechanism. It must be noted that this may lead to restrictions in applications that use or require NTLM.

Detect: Detect attacks using Indicators of Compromise (IoCs).

Registry key modification

If a user has never used the reminder function, certain registry keys will not be available. If these are still present, this can be an indicator of compromise:

  • HKCU\Software\Microsoft\Office\ \Outlook\Tasks

  • HKCU\Software\Microsoft\Office\ \Outlook\Notes

Microsoft-Windows-SMBClient/Connectivity event logs

The event log above logs server errors and warnings for SMB and WebDav connections.

The event IDs 0800, 30803, 30806, 30804, and 31001 are checked on non-trusted servers.

graphic-20240507-110609

WebDAV Process Creation events

If SMB traffic to the Internet is blocked or otherwise fails, Windows falls back to WebDAV to establish the connection. This leads to a potentially unique process creation event that can be tracked in Endpoint Detection & Response (EDR) solutions or other endpoint logging mechanisms (e.g. Sysmon logs).

 
graphic-20240507-112028

Exchange Server Logs

The following logs on Exchange servers can be checked for potential exploitation of the vulnerability:

  • EWSLogs

  • IISLogs

  • PowerShellLogs

  • ServerInformation

  • ExchangeServerInformation

  • MessageTrackingLogs

  • OWALogs

The logs can e.g. B. provide information about whether there was unauthorized access via a relay attack. More detailed information can be found in the corresponding one Microsoft article refer to.

Known IP addresses

According to Microsoft, the following IP addresses have been linked to attacks:

  • 101.255.119[.]42

  • 213.32.252[.]221

  • 168.205.200[.]55

  • 185.132.17[.]160

  • 69.162.253[.]21

  • 113.160.234[.]229

  • 181.209.99[.]204

  • 82.196.113[.]102

  • 85.195.206[.]7

  • 61.14.68[.]33

React: How do I deal with detected attackers on the network?

Initiate the first steps of incident response

Immediate measures can be found in our knowledge base article:

Exchange messaging items

Microsoft is hiring Script ready to check Exchange messaging items (mail, calendar, tasks) for modification of the affected property.

If the script detects a modification, a manual decision must be made as to whether it is a potentially dangerous value. If the modification is classified as harmful, you can use the script to perform a cleanup of the messaging item. The exact steps are described in detail in the article linked above.

user accounts

For every user against whom an attack attempt has been made and for every user who has been compromised, the password must be reset and, if not available, additional security mechanisms (such as multi-factor authentication) must be set up.

Are you affected?
We check your systems for vulnerabilities and support you in building your resilience against attacks.
Request advice now

References /MITRE Att&ck

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.

Follow for more!
Newsletter form (#7)

Become a Cyber ​​Security Insider

Get early access and exclusive content!


By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!
OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!