Cyber Security Insight: Exploiting CVE-2023-23397

2 min 23 March 2023
img

What you need to know and do

Following recent security updates for the CVE-2023-23397 vulnerability, our Cyber team would like to highlight the severity of this issue for anyone using Microsoft Outlook. We want to underline how vital it is to always be conscious of emerging vulnerabilities and to maintain good security practices within your organisation to help prevent attacks.

In this case, the Microsoft Threat Intelligence team identified an information disclosure vulnerability in the Outlook desktop application. This vulnerability is trivial to exploit and upon successful exploitation, could grant an attacker access to user accounts and internal resources or services.

The vulnerability arises within the passing of Outlook meeting invites which, as with emails, can be received from any internal or external user.  For upcoming meetings, Outlook presents reminders and an audible notification. The vulnerability allows attackers to send uniquely crafted meeting invitations with a custom reminder sound located on an attacker-controlled server (specifically a UNC path to an SMB server). Upon receipt of the invite, Outlook will attempt to retrieve the custom sound by connecting to the attacker-controlled server and authenticating as the Outlook user by providing the Outlook user’s NetNTLMv2 hashed credentials to the attacker.

An attacker with access to the internal network would be able to relay this hash to other resources and services to gain access, whilst external attackers could attempt offline password-cracking attacks to attempt to yield the Outlook user’s cleartext password.

Exploitation

Our internal investigation and thorough testing has verified the severity of this vulnerability. To demonstrate the exploitation path, our Cyber team sent an email modifying the sound path parameter to point towards a remote SMB server controlled by ourselves. Observing the network traffic, it was then possible to retrieve the NetNTLMv2 hash.

There are indications that this vulnerability has been actively exploited by nation state actors for some months. With the public disclosure of the vulnerability, ease of exploitation and recently released public exploit code, exploitation of unpatched systems should be considered inevitable.

Please be aware and act now

Ensure your Office 365 applications are updated to the latest version: Version 2302 (Build 16130.20306) or later.

To do this: Open any office application e.g. Word -> File -> Account -> Check the version in About Word.

If you would like more information, please contact our Cyber team: Contact – FSP