On March 14, 2023, Microsoft released its monthly security updates, which included patches for 76 vulnerabilities across various products. Among them was CVE-2023-23397, a critical elevation of privilege vulnerability in Microsoft Outlook that was actively exploited by threat actors before it was fixed. The vulnerability allows an attacker to steal the Net-NTLMv2 hash of an email recipient by sending a malicious email to a vulnerable version of Outlook. The attacker can then use this hash to authenticate as the victim recipient in an NTLM relay attack.
What is CVE-2023-23397?
CVE-2023-23397 is a vulnerability that affects all Microsoft Outlook products on the Windows operating system. It is caused by a flaw in how Outlook handles extended MAPI properties, which are used to store additional information about email messages, calendar invites, or tasks. One of these properties,
PidLidReminderFileParameter, can be used to specify a UNC path to an SMB (TCP 445) share on a remote server.
When Outlook processes an email message containing this property with a malicious UNC path, it will attempt to connect to the remote server without prompting the user for credentials. This connection will leak the Net-NTLMv2 hash of the email recipient, which is a cryptographic representation of their username and password. The attacker can capture this hash from their server and use it to authenticate as the victim recipient in an NTLM relay attack. This attack can allow the attacker to access network resources or execute commands on behalf of the victim.
The attacker can use tools such as Hashcat or John the Ripper to crack the hash and obtain the user’s plaintext password. Alternatively, they can use tools such as Impacket or Responder to relay this hash to another system or service that accepts NTLM authentication and impersonate the user without cracking their password.
How was CVE-2023-23397 discovered?
CVE-2023-23397 was discovered by researchers from CERT-UA and Microsoft Threat Intelligence Center (MSTIC) who observed active exploitation of this vulnerability in targeted attacks against Ukrainian government agencies. The attackers used phishing emails with malicious attachments that contained embedded OLE objects with extended MAPI properties. These emails were designed to look like legitimate correspondence from other government entities or international organizations.
The exploitation of CVE-2023-23397 does not require any user interaction from the victim recipient. The vulnerability can be triggered before the email is viewed in the Preview Pane or opened by the user. This makes it very stealthy and effective for compromising unsuspecting victims.
How is CVE-2023-23397 exploited?
CVE-2023-23397 can be exploited by sending a specially crafted email message to an Outlook user. The email message does not need any attachments or links and does not require any user interaction from the recipient. The exploitation can occur even before the email message is viewed in the Preview Pane. There are a number of PoCs out, but we found the one by ka7ana to be a simple but effective one.
The following steps illustrate how an attacker can exploit this vulnerability:
- The attacker creates an SMB server on their machine and configures it to capture Net-NTLMv2 hashes from incoming connections.
- The attacker crafts an email message with an extended MAPI property PidLidReminderFileParameter that contains a UNC path pointing to their SMB server (e.g., \attacker.com\share).
- The attacker sends this email message to their target Outlook user.
- When Outlook receives this email message, it will automatically connect to \attacker.com\share and send its Net-NTLMv2 hash as part of the authentication process.
- The attacker captures this hash and either cracks it or relays it to another system or service that accepts NTLM authentication.
What are the impacts of CVE-2023-23397?
CVE-2023-23397 poses a serious threat to Outlook users as it allows attackers to steal their credentials without any user interaction or visible indication. This can lead to various impacts depending on what systems or services are accessible with these credentials, such as:
- Accessing sensitive data stored on file servers, SharePoint sites, OneDrive accounts or other cloud services
- Sending phishing emails or malware from compromised email accounts
- Escalating privileges on domain controllers or other servers
- Compromising other users’ accounts through lateral movement
- Conducting ransomware attacks
According to Microsoft, this vulnerability was exploited in the wild by state-sponsored actors and ransomware operators before it was patched. The Computer Emergency Response Team of Ukraine (CERT-UA) also reported that this vulnerability was used by Russian hackers against Ukrainian government agencies.
How can CVE-2023-23397 be mitigated and prevented?
Microsoft released security updates for CVE-2023-23397 on March 14, 2023 as part of its monthly Patch Tuesday release. Users are advised to apply these updates as soon as possible to protect themselves from this vulnerability. Alternatively, users can disable SMBv1/2/3 client functionality on their systems or block TCP port 445 at their network perimeter.
To prevent similar vulnerabilities in the future, users should also enable Network Level Authentication (NLA) for Remote Desktop Services (RDS) and restrict NTLM authentication on their domain controllers using Group Policy settings. These measures can help reduce the risk of NTLM relay attacks.