Date: 15-03-2023
On Tuesday, March 14th 2023, Microsoft patched a high risk vulnerability in Microsoft Outlook (CVE-2023-23397) that can provide an attacker high privileges without authentication[1]. This vulnerability can be exploited by an attacker by sending a malicious email to a victim with a vulnerable version of Outlook in order impersonate the victim and get access to victim’s device[2]. Microsoft also suggested this exploitation can occur before the email is viewed in the preview pane. This means no interaction from the victim is needed for a successful attack. Subsequently, this may lead attackers to gain access of the victim’s NTLM hash and allow an attacker to authenticate as the user. We recommend to install the update provided by Microsoft as soon as possible[4].
Impact:
We estimate the risk of this vulnerability as high, because the successful exploitation could lead the attacker to access the device as an user. This vulnerability affects Microsoft Exchange server. This vulnerability is tracked under CVE-2023-27532 and has a CVSSv3.1 score of 9.8.
Risk:
As the vulnerability is related to gaining the privilege access by an attacker, the risk of this exploitation is high. At the time of writing there is no indication that this vulnerability is currently actively exploited in the wild[3].
What should you do?
This vulnerability is currently mitigated in the latest Microsoft updates and thus, we advise to install the Outlook Security Update regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, other hosting platforms)[4]. Also, we advice to add the users to the 'Protected Users' security group, however this may cause impact to applications that require NTLM authentication[4]. Finally, we recommend to block outbound TCP traffic over port 445 from the network using a perimeter firewall, a local firewall and also via VPN settings[1].
What will Northwave do?
At the moment, the vulnerability is mitigated by Microsoft in the latest updates. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. we will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources:
[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2023-0128
[4]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.