CVE-2023-23397
CVSSv3: 9.8
*Please install Microsoft’s March patches as soon as possible on systems with Outlook.
Microsoft has released a zero-day patch to mitigate an active vulnerability exploited by a Russian based APT. Attacks related to this vulnerability have been targeting government organizations, transportation, energy and other sectors of critical infrastructure.
This vulnerability allows an attacker to target a recipient with an email that executes malicious code on delivery to remotely steal the password hashes. This occurs when the attackers use “a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server.” The exploitation of this vulnerability will execute in preview mode without opening the message in a new window.
Simply put, an attacker specifies a payload to be used as recipient notification sound, and when the email is received, the malicious payload is automatically executed when an outlook client receives the message. This attack can be used with Outlook Calendar Appointments, Tasks, Notes, or Email messages.
Once the NTLM hashes have been harvested, they can be used for NTLM relay attacks to gain more access to a organization’s network.
Microsoft has released a script to detect and purge emails that have targeted your environment.
Detection script:
“To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.“
Additional sources:
https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-day-bugs-security-feature-bypass
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397?ref=cisco-talos-blog
