Microsoft Outlook: 9.8 scored vulnerability CVE-2023-23397 - March 2023


Userlevel 7
Badge +12
  • On the path to Greatness
  • 1273 comments

Yesterday Microsoft published a patch for Outlook which fixes an Elevation of Privilege Vulnerability with a CVSSv3 Score of 9.8. Attackers can gain access to users credentials or NTLM hashes via a prepared email which contains a UNC path to a SMB share. The victim doesn’t even have to open/view the email; the login attempt happens as soon as Outlook receives the email.

Fix

Patches have been published for Microsoft Outlook 2013 and above. As this vulnerability is very critical and does have a low complexity, you should patch as soon as possible. Also it seems that threat actors are using this vulnerability since over a year.

Patches are linked in the corresponding article from Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Please be aware that possibly all other Outlook versions which are already End of Life (2010,2007,...) are also affected, but don’t receive any patches anymore.

Workaround

There are 2 workarounds available:

  • Add users to “Protected Users Security Group”: This will completly prevent the use of NTLM for those users, but could also break other applications
  • Block TCP 445 (SMB) to the internet/external network: This prevents login attempts to prepared SMB shares

Check if you’re affected

There’s a Powershell script available from Microsoft which checks if your mailboxes contain emails with such UNC shares. If it finds any emails then you should further investigate if the vulnerability has been exploited.

https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/


5 comments

Userlevel 3
Badge

Thanks for sharing this one @regnor

Userlevel 7
Badge +7

Thanks for sharing!

Userlevel 7
Badge +20

Wow 9.8 in Outlook.  Time to get patching.  Thanks for sharing this.

Userlevel 7
Badge +4

Thanks Max, 

for Microsoft 365 users it’s already available upgrade from desktop app.

Userlevel 1
Badge

Ok thank you!  In patch mode now

Comment