May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability

March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.

March 23, 2023 update: See Releases for Microsoft Products below for clarification on product changes and defense in depth update availability.

Summary Summary

Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft to an untrusted network, such as the Internet. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.

Impacted Products Impacted Products

All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Technical Details Technical Details

CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required.

The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. To protect against known bypasses, please refer to CVE-2023-29324.

Fix Fix

Please refer to CVE-2023-23397 Outlook updates to address this vulnerability, read FAQs, and additional mitigation details.

To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication.

The Outlook update addresses the vulnerability by only using the path to play a sound when from a local, intranet or trusted network source.

Impact Assessment Impact Assessment

To help you determine if your organization was targeted or compromised by threat actors exploiting this vulnerability, Microsoft Incident Response has published a guide for investigating attacks that use CVE-2023-23397 at Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.

Releases for Microsoft Products Releases for Microsoft Products

The following table summarizes the releases for Microsoft products and what they provide:

Acknowledgement Acknowledgement

The Microsoft Incident Response team and Microsoft Threat Intelligence community appreciate the opportunity to investigate the findings reported by CERT-UA.

Through joint efforts, Microsoft is aware of limited targeted attacks using this vulnerability and initiated communication with the affected customers. Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe. We appreciate Akamai responsibly disclosing the issues addressed in CVE-2023-29324 which gave us the opportunity to investigate and address the issues raised.

We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD).

References References

• Visit the Security Update Guide for information about CVE-2023-23397 and CVE-2023-29324

• For more information, review the Exchange Team Blog

• Questions? Open a support case through the Azure Portal at aka.ms/azsupt