Organizations using Microsoft Outlook for Windows are being urged to take immediate action to protect their systems from a high-severity vulnerability, alerted the Australian Cyber Security Centre (ACSC). The alert status is High.
The vulnerability named CVE-2023-23397, which has been classified as critical, could allow an attacker to remotely execute code on a victim’s machine by sending them a specially crafted email.
The vulnerability affects all versions of Microsoft Outlook for Windows, including the latest version, Outlook 2019.
“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client.
This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” said the Microsoft patch notice, updated on March 21.
“The ACSC is not aware of any successful exploitation attempts against Australian organizations,” the alert said.
CVE-2023-23397 impacts the supported edition of Microsoft Outlook for Windows, excluding Android, iOS, and macOS versions, The Cyber Express reported earlier.
Microsoft Outlook for Windows vulnerability
Vulnerability CVE-2023-23397 is a critical privilege elevation/authentication bypass bug in Microsoft Outlook for Windows, released as part of the March Patch Tuesday set of patches.
“Exploitation of this vulnerability occurs when a threat actor delivers a specially crafted message to a user. These can leak the new technology LAN manager (NTLM) hash of the user to the untrusted network which an attacker can then relay to another service and authenticate as the user,” the ACSC alert said.
The ACSC has warned that CVE-2023-23397 is already being exploited in the wild by advanced persistent threat (APT) actors, and it is only a matter of time before more malicious actors start exploiting it to target organizations through Microsoft Outlook for Windows.
The ACSC has recommended that organizations apply the patch released by Microsoft as soon as possible.
In addition, organizations are advised to implement security measures such as email filtering and endpoint protection to reduce the risk of this and other similar vulnerabilities that affect Microsoft Outlook for Windows being exploited.
The ACSC has also urged businesses to educate their staff about the risks of opening suspicious emails on Microsoft Outlook for Windows and to remind them not to click on any links or attachments in emails from unknown sources.
Microsoft Outlook vulnerability: The alerts are out
The ACSC alert on the vulnerability that affects Microsoft Outlook for Windows follows the warnings issued by cybersecurity companies.
“The current exploit is not an isolated incident, but rather part of a series of similar vulnerabilities that go back to 2017.
Some of these vulnerabilities, including CVE-2017-8572 and CVE-2017-11927, have enabled hackers to obtain a user’s NTLMv2 credentials from Outlook in the past as well,” said a Logpoint threat assessment report.
“What makes the issue much more critical is the fact that it doesn’t require any action from the user to be activated,” it added.
“CVE-2023-23397 is a zero-touch exploit, meaning the security gap requires low complexity to abuse and requires no user interaction,” said a Trend Micro analysis of the Microsoft Outlook for Windows vulnerability.
CVE-2023-23397 does not require user interaction or high privileges to be triggered, even before message preview. The victim client is prompted and notified, for example, when an appointment or task prompts five minutes before the designated time.
Blocking outbound SMB traffic for remote users is challenging, and if exploited, the attacker could gain access to other resources using the same credentials, said the Trend Micro report.
To determine whether one is impacted, Microsoft has offered a PowerShell script that examines emails, calendar entries, and task items for the “PidLidReminderFileParameter” property.
This script enables administrators of Microsoft Outlook for Windows to identify problematic items with this property and take appropriate action, such as removal or permanent deletion.