{"id":51103,"date":"2023-03-21T00:00:00","date_gmt":"2023-03-21T00:00:00","guid":{"rendered":"urn:uuid:d46d012a-745e-81b6-e15d-62ae5a0bdca0"},"modified":"2023-03-21T00:00:00","modified_gmt":"2023-03-21T00:00:00","slug":"patch-cve-2023-23397-immediately-what-you-need-to-know-and-do","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do\/","title":{"rendered":"Patch CVE-2023-23397 Immediately: What You Need To Know and Do"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

How is CVE-2023-23397 exploited?<\/span><\/p>\n

The attacker sends a message to the victim with an extended Message Application Program Interface (MAPI) property with a Universal Naming Convention (UNC) path to a remote attacker-controlled Server Message Block (SMB, via TCP 445). Share-hosted on a server controlled by the attacker, the vulnerability is exploited whether the recipient has seen the message or not. The attacker remotely sends a malicious calendar invite represented by .msg \u2014 the message format that supports reminders in Outlook \u2014 to trigger the vulnerable API endpoint PlayReminderSound using \u201cPidLidReminderFileParameter\u201d (the custom alert sound option for reminders).<\/p>\n

When the victim connects to the attacker\u2019s SMB server, the connection to the remote server sends the user\u2019s New Technology LAN Manager (NTLM<\/a>) negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication.<\/p>\n

NTLMv2 hashes are the latest protocol Windows uses for authentication, and it is used for a number of services with each response containing a hashed representation of users\u2019 information, such as the username and password. As such, threat actors can attempt a NTLM relay attack to gain access to other services, or a full compromise of domains if the compromised users are admins. While online services such as Microsoft 365 are not susceptible to this attack because they do not support NTLM authentication, the Microsoft 365 Windows Outlook app is still vulnerable.<\/p>\n

User interaction is not necessary to trigger (even before message preview) it, nor does it require high privileges. CVE-2023-23397 is a zero-touch vulnerability that is triggered when the victim client is prompted and notified (e.g., when an appointment or task prompts five minutes before the designated time). It is difficult to block outbound SMB traffic for remote users. The attacker could use the same credentials to gain access to other resources. We elaborate on this example in our webinar<\/a> (at 04:23 of the video).<\/p>\n

There have been reports of limited attacks abusing this gap. Microsoft has been coordinating with the affected victims to remediate this concern. All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

1. Lateral movement, malicious navigation using the relayed NTLM hashes<\/p>\n

Relay attacks gained notoriety as a use case for Mimikatz<\/a> using the NTLM credential dumping routine via the sekurlsa<\/a> module. In addition, pass-the-hat (PtH)<\/a> (or pass-the hash<\/a>) attacks and variations of data and information theft can be done. Once attackers are in the system, they can use the network for lateral movement and navigate the organization\u2019s lines over SMB. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

2. WebDAV directory traversal for payload attacker routines<\/p>\n

It\u2019s possible for an attacker to leverage WebDAV<\/a> services in cases where no valid SMB service for Outlook exists (i.e., is not configured) in the client. This is an alternative to the Web\/HTTP service that can also be read as a UNC path by .msg and\/or Outlook Calendar items. Attackers can set up a malicious WebDAV server to respond to affected victim clients with malicious pages. These pages may contain code that can range from leveraging a directory traversal technique similar to the Microsoft vulnerability CVE-2022-34713<\/a> (dubbed as DogWalk<\/a>) to push any form of payload for remote code execution such as webshells.<\/p>\n

Here are some steps that security administrators can perform to reduce the risk of exploitation of CVE-2023-23397:<\/p>\n