On March 14th, 2023, Microsoft released details of a critical (9.8/10) vulnerability relating to Outlook clients globally which was discovered and submitted by the Computer Emergency Response Team (CERT) of Ukraine (UA).
What makes this vulnerability particularly severe is the fact that unlike traditional phishing, which requires a user to open a malicious attachment or link, this exploit requires no user interaction to operate based on proof of concepts already developed by the research community.
How does CVE-2023-23397 work?
In summary, attackers can weaponise a calendar invite or appointment with additional properties and when emailed to a victim, it causes the “Reminder Notification” and associated sound to trigger, which is typically used to remind the user that the proposed meeting is either overdue, or is about to start.
It was discovered that it is possible to customise this notification sound and instead of configuring a sound to play, attackers can put the path to a remote resource such as a malicious external host, using a Universal naming convention (UNC) path. This meant that when the reminder notification triggers, it also causes unwanted connections to this malicious host using the Server Message Block (SMB) protocol (normally used for network file sharing) and perform NTLM authentication, exposing the hashes which can then be used by attackers to perform pass-the-hash attacks.
What Can I Do?
The good news is that Microsoft have already released a set of patches along with details of this vulnerability. The best course of action at this time to ensure Microsoft patches are prioritised as quickly as possible to mitigate possible use of the vulnerability. Links to the Microsoft vulnerability and associated patches are below.
For defenders, monitoring or blocking outbound connections to 445/SMB is another step if patching is not immediately viable. It is advisable, however, that this is taken into consideration on a case-by-case basis as 445/SMB is a legitimate protocol and may be used by organisational services.
Microsoft Vulnerability page: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Public Writeup of the Exploit: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/