The cyber-research community raises concerns over a vulnerability that puts the Microsoft 365 suite at risk. Earmarked CVE-2023-23397, the vulnerability allows an unauthenticated threat actor to obtain the user’s credentials by passing along a crafted email package. Research suggests that the bug, which was formally attributed to a Microsoft Outlook component, has a high ‘wormability’ factor, in most instances the user interaction phase being no longer necessary.
Microsoft Outlook Vulnerability Status Changed from POC to EOP
Discovered in or around the beginning of March, the Microsoft Outlook vulnerability was found to affect several applications from the Microsoft 365 Apps Enterprise stack, including MS Office 2019, 2016, 2013, and LTSC. Furthermore, a closer investigation revealed that the bug seems to be contained in Windows Server 2022 and Windows 11, meaning it does not affect older builds or legacy.
However, this is where the good news ends; the vulnerability itself does not require user interaction. According to the advisory released by Microsoft, CVE-2023-23397, which was labeled as the Pass-the-Hash attack, shows that the victim’s credentials are automatically passed to the attacker once the crafted email pops up in the inbox.
The method involves the involuntary disclosure of the victim’s Net-NTLM v.2 hash, which results in the threat actor declining his identity with the stolen credentials via an ancillary Windows service. In some instances, this action occurs long before the email hits Outlook’s preview pane. Given the implications of the vulnerability, Microsoft has assigned it a CVSS 3.1.9.8 score of 9.1 (i.e., Critical). The attack vector is remote only.
Since the vulnerability can be triggered in the absence of user interaction, CVE-2023-23397 can be regarded as having worm-like capabilities.
Heimdal® internal data revealed that, at the time this article was being written, more than 70% of our customers had already deployed Microsoft’s official fix for CVE-2023-23397. Furthermore, more than 92% of customers that have enabled the Patch & Asset Management automatic patching feature have deployed the official fix during the same timeframe.
Functional Mitigations for the Microsoft Outlook Vulnerability
Per Microsoft’s advisory, users can try the following methods in order to protect their infrastructure from Pass-the-Hash attacks.
1. Disable WebClient Service.
This workaround will help you block any type of WebDAV attack attempt. However, bear in mind that this can severely impact both users and applications. To disable the WebClient service, please follow the steps below.
Step 1. Navigate to HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\WebClient.
Step 2. Export the contents to your desktop.
Step 3. Import the file to your Domain Controller.
Step 4. Create a new Group Policy Object on your Domain Controller.
Step 5. Navigate to HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\WebClient
Step 6. Change to disabled start type = 4.
2. Bypass NTLM
The safest route to mitigate the Microsoft Outlook vulnerability is to prevent apps or users to leverage the NTLM authentication mechanism. To perform this action, you can add your users and administrators under the Protected Users Security Group. Refer to Microsoft’s documentation for additional information.
3. Block NTML Messaging for Remote File Shares
Another method to prevent this type of Pass-the-Hash attack without disabling NTML or WebClient would be to block all types of NTML Communication to and from remote file shares. This can be done by blocking the TCP 445/SMB outbound port in your firewall.