Yesterday Microsoft published a patch for Outlook which fixes an Elevation of Privilege Vulnerability with a CVSSv3 Score of 9.8. Attackers can gain access to users credentials or NTLM hashes via a prepared email which contains a UNC path to a SMB share. The victim doesn’t even have to open/view the email; the login attempt happens as soon as Outlook receives the email.
Patches have been published for Microsoft Outlook 2013 and above. As this vulnerability is very critical and does have a low complexity, you should patch as soon as possible. Also it seems that threat actors are using this vulnerability since over a year.
Patches are linked in the corresponding article from Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Please be aware that possibly all other Outlook versions which are already End of Life (2010,2007,...) are also affected, but don’t receive any patches anymore.
There are 2 workarounds available:
- Add users to “Protected Users Security Group”: This will completly prevent the use of NTLM for those users, but could also break other applications
- Block TCP 445 (SMB) to the internet/external network: This prevents login attempts to prepared SMB shares
Check if you’re affected
There’s a Powershell script available from Microsoft which checks if your mailboxes contain emails with such UNC shares. If it finds any emails then you should further investigate if the vulnerability has been exploited.