On March 14, 2023, Microsoft disclosed a critical security vulnerability in Microsoft Outlook. This vulnerability allows attackers to steal passwords in encrypted form without user intervention by sending compromised calendar invitations. If these passwords are weak, attackers can decrypt them and access sensitive data. All versions of Microsoft Outlook for Windows are affected. Microsoft has released an update to fix the problem. However, it is important to emphasize that this security gap could also be closed using common IT best practice configurations. These measures should be implemented in all affected systems to further increase protection and counter future threats.
A compromised calendar invitation that a potential attacker sends to the victim via email contains a path to a customized notification tone. The path to this notification tone is a Universal Naming Convention (UNC) path. The target is an SMB server on the Internet controlled by the attacker. In standard behavior, a Windows client tries to authenticate itself when calling a UNC path. The NetNTLMv2 hash method is used during this authentication. The Windows client sends the NetNTLMv2 hash to the attacker's SMB server. This allows the attacker to use the hash in a relay attack or to crack the hash offline (to make this process as difficult as possible for attackers see: Defense: Password management). You can find out more about this in our blog entry: Hashcat Password Cracking & Password Policy
A new appointment is created and the reminder time is set to 0 minutes.
Under the “Sound…..” option, the notification sound is set to the UNC path provided by the attacker
The appointment is sent to the victim and the reminder opens automatically
The NetNTLMv2 hash is transmitted to the attacker and intercepted by him
If you have systems accessible on the Internet that allow authentication using NTLM, authentication can be forwarded using the proof of concept described above in order to gain access this way.
In order for the attacker to be able to exploit the vulnerability via the Internet, the following points are crucial:
All Microsoft Outlook versions for Windows are affected.
In Outlook for Windows, the user is able to store a sound file for an Outlook-specific notification tone. This is only possible in the Windows version of Outlook. Outlook for macOS, Linux and iOS/Android are not affected
The first step should be to patch the affected software. Microsoft has already released security updates for the respective Outlook versions. These can be found in the Microsoft Update Guide:
The firewall configuration should be adjusted to restrict SMB connections both incoming and outgoing. Furthermore, the VPN configuration for remote users should be checked so that the restrictions also apply if the user is not in the local network. Logging the policies creates traceability.
The local Windows Firewall settings can be distributed in the domain via GPO. This also blocks traffic for users who work remotely and are not in the company network.
The key to success is the implementation of a complex password policy. This can be done via the “Default Password Policy” or via a “Fine Grained Password Policy”. You can find further information about this in our knowledge base article Hashcat Password Cracking & Password Policy . Since computing power has continuously increased in recent years, increasing the minimum requirements for passwords, based solely on length, no longer makes sense. Here, the blacklisting of simple passwords (e.g. Summer2024!, CompanyNameYear!, NameMyMother+) should be promoted in order to make password cracking using a dictionary attack more difficult. Implementing multi-factor authentication is essential under today's computing power conditions, on the one hand to enable users to have simpler passwords, and on the other hand to protect administrative accounts more effectively, which also helps to make the attacker's job more difficult.
By adjusting the Conditional Access settings such as: B. Geo-blocking (typical countries) e.g. B. in Azure or on a firewall (Perimeter, Endpoint Protection Firewall) or a session revoke, you can most likely revoke access to the attacker. After the reaction, an extensive evaluation of the log files is now required to ensure that the attacker has not changed any settings anywhere and thus made access possible in other ways.
Rules that enable detection should be implemented in an IDS system. Countermeasures can be initiated in conjunction with IPS rules. Specifically, the aim is to detect, block and report the leakage of internal hashes via SMB to the Internet. The NetNTLMv2 hash is transmitted from a computer on the local network via port 445 to an external IP address (the attacker's SMB server). This path needs to be monitored. Further information can be found in the section Indicators of Compromise.
Example rule Snort: Snort 3.0 Rule CVE-2023-23397
alert file
(
msg:"FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt";
flowbits:isset,file.ole;
file_data;
content:"|1F 85 00 00|";
content:"|1C 85 00 00|";
content:"_|00|_|00|s|00|u|00|b|00|s|00|t|00|g|00|1|00|.|00|0|00|_|00|";
content:"I|00|P|00|M|00|.|00|";
content:"|00 00 00 00 5C 00 5C 00|";
pcre:"/\x00\x00\x00\x00\x5c\x00\x5c\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}\x2e\x00(\d\x00){1,3}/";
metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop;
reference:cve,2023-23397;
reference:url,msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/;
classtype:attempted-user;
gid:1; sid:300464;
rev:1;
)
Users can be added to the Protected Users security group in ActiveDirectory. This prevents the use of NTLM as an authentication mechanism. It must be noted that this may lead to restrictions in applications that use or require NTLM.
If a user has never used the reminder function, certain registry keys will not be available. If these are still present, this can be an indicator of compromise:
HKCU\Software\Microsoft\Office\ \Outlook\Tasks
HKCU\Software\Microsoft\Office\ \Outlook\Notes
The event log above logs server errors and warnings for SMB and WebDav connections.
The event IDs 0800, 30803, 30806, 30804, and 31001 are checked on non-trusted servers.
If SMB traffic to the Internet is blocked or otherwise fails, Windows falls back to WebDAV to establish the connection. This leads to a potentially unique process creation event that can be tracked in Endpoint Detection & Response (EDR) solutions or other endpoint logging mechanisms (e.g. Sysmon logs).
The following logs on Exchange servers can be checked for potential exploitation of the vulnerability:
EWSLogs
IISLogs
PowerShellLogs
ServerInformation
ExchangeServerInformation
MessageTrackingLogs
OWALogs
The logs can e.g. B. provide information about whether there was unauthorized access via a relay attack. More detailed information can be found in the corresponding one Microsoft article refer to.
According to Microsoft, the following IP addresses have been linked to attacks:
101.255.119[.]42
213.32.252[.]221
168.205.200[.]55
185.132.17[.]160
69.162.253[.]21
113.160.234[.]229
181.209.99[.]204
82.196.113[.]102
85.195.206[.]7
61.14.68[.]33
Immediate measures can be found in our knowledge base article:
Microsoft is hiring Script ready to check Exchange messaging items (mail, calendar, tasks) for modification of the affected property.
If the script detects a modification, a manual decision must be made as to whether it is a potentially dangerous value. If the modification is classified as harmful, you can use the script to perform a cleanup of the messaging item. The exact steps are described in detail in the article linked above.
For every user against whom an attack attempt has been made and for every user who has been compromised, the password must be reset and, if not available, additional security mechanisms (such as multi-factor authentication) must be set up.
NVD: NVD – CVE-2023-23397
Microsoft Security Update Guide: Security Update Guide - Microsoft Security Response Center
Microsoft Script for detection and cleanup: CVE-2023-23397 script – Microsoft – CSS Exchange
Microsoft guidance on dealing with CVE-2023-23397 Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog
Images for PoC – Frankys Web Outlook CVE-2023-23397: What to do? – Franky’s Web
BMI state list List of states within the meaning of Section 13 Paragraph 1 No. 17 SÜG
Snort Rule CVE-2023-23397 Snort – Rule Docs
ProSec initial measures Hacked what to do
ProSec Password Cracking & Password Policy Hashcat Password Cracking & Password Policy
