CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.7%
Microsoft Outlook Elevation of Privilege Vulnerability
Recent assessments:
cbeek-r7 at March 15, 2023 8:17am UTC reported:
Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.
By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.
Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.
CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397
tacotuesday at March 21, 2023 5:38pm UTC reported:
Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.
By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.
Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.
CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397
github.com/api0cradle/CVE-2023-23397-POC-Powershell
github.com/BillSkiCO/CVE-2023-23397_EXPLOIT
github.com/cleverg0d/CVE-2023-23397-PoC-PowerShell
github.com/ka7ana/CVE-2023-23397
github.com/ruppde/yara_rules/blob/main/CVE-2023-23397/munin_check-results_CVE-2023-23397.csv
github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
github.com/Trackflaw/CVE-2023-23397
github.com/vbrunschot/Exploits/blob/main/privesc/CVE-2023-23397-POC-Outlook/CVE-2023-23397-POC.ps1
microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
socprime.com/rs/rule/51fde79b-6722-4887-b22f-27819ebe7fe8
socprime.com/rs/rule/b3aa1bcb-aa91-46fc-9925-a8be50fc2769
socprime.com/rs/search-result?search=cve-2023-23397
www.cyborgsecurity.com/blog/detecting-cve-2023-23397-how-to-identify-exploitation-of-the-latest-microsoft-outlook-vulnerability/
www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know
www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html
www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.7%