Microsoft Outlook zero-day vulnerability
This live blog contains information regarding the Microsoft Outlook zero-day vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 16, 2023.
T-Update
This live blog contains information regarding the Microsoft Outlook zero-day vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 16, 2023.
Update 16 March 2023
16:30 | We updated our blog about the Microsoft Outlook zero-day vulnerability with the latest information. On the 14th of March 2023 security researchers have shared technical details for exploiting the CVE-2023-23397 vulnerability.
With the publication of the technical details for exploiting the CVE-2023-23397 vulnerability, the chance of exploitation by malicious entities increases. Therefore, it is highly recommended to apply the software patches or workaround as the vulnerability is easy to exploit and likely quickly adopted by malicious entities.
The blog published by MDSEC regarding the technical details can be found here: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Update 15 March 2023
14:00 | During the patch Tuesday of March 2023, Microsoft released patches for 83 vulnerabilities. The most severe vulnerability is a privilege escalation vulnerability in Microsoft Outlook, registered as CVE-2023-23397. This vulnerability allows a remote, unauthenticated attacker to steal credentials (hash) by sending a specially crafted email.
The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
It is advised to apply the security patches as soon as possible. Microsoft is aware of active exploitation in the wild on a small amount of government, military, energy and transportation organisations. However, when exploit code becomes publicly available, it is likely that more attackers will start exploiting the vulnerability.
Background
During the patch Tuesday of March 2023, Microsoft released patches for 83 vulnerabilities. The most severe vulnerability is a privilege escalation vulnerability in Microsoft Outlook, registered as CVE-2023-23397. This vulnerability allows a remote, unauthenticated attacker to steal credentials (hash) by sending a specially crafted email. The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
Risk
The vulnerability CVE-2023-23397 has a CSVSS score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2023-23397 vulnerability is a privilege escalation vulnerability in Microsoft Outlook and allows an unauthenticated attacker to steal credentials (hash) by sending a specially crafted email to the victim. The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
Microsoft stated there is a small amount of exploitation in the wild. However, when exploit code becomes publicly available, it is likely that more attackers will start exploiting the vulnerability.
Advice
The vulnerability exists in all supported version of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services are not affected.
Microsoft has published patches and several workarounds. It is advised to apply any of the mitigative actions. If patching the vulnerability is not an option, it is advised to apply the workarounds given by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397. Blocking port 445 TCP outbound is a security best-practice and should be considered implementing despite this vulnerability.
It is advised to run the script published by Microsoft that checks Exchange messaging items (mail, calendar and tasks) to see whether items exist prepared to exploit the vulnerability. The script with its requirements and a step-by-step description on how to run can be found here: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
More information:
- Microsoft update-guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
- Microsoft blog:https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
- Script published by Microsoft: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- NCSC: https://www.ncsc.nl/actueel/advisory?id=NCSC-2023-0128
- MDSEC: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
