Armis Logo< Back

CVE-2023-23397:

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397) allows attackers to steal NTLM hashes through specially crafted emails.


Score
Info
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical
  • Published Date:Mar 14, 2023
  • CISA KEV Date:Mar 14, 2023
  • Industries Affected:20

Threat Predictions

  • EPSS Score:93.4
  • EPSS Percentile:100%

Exploitability

  • Score:3.9
  • Attack Vector:NETWORK
  • Attack Complexity:LOW
  • Privileges Required:NONE
  • User Interaction:NONE
  • Scope:UNCHANGED

Impact

  • Score:5.9
  • Confidentiality Impact:HIGH
  • Integrity Impact:HIGH
  • Availability Impact:HIGH

Description Preview

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397) allows attackers to steal NTLM hashes through specially crafted emails.

Overview

This vulnerability affects Microsoft Outlook for Windows and stems from how Outlook processes certain message properties. When an attacker sends a specially crafted email that includes a UNC path to a remote SMB server they control, Outlook will automatically attempt to authenticate to that server using the user's Windows credentials. This occurs because the vulnerability triggers the NTLM authentication protocol, which sends the user's hashed credentials to the remote server. The attack is particularly dangerous because: 1. It requires no user interaction beyond receiving the email 2. It works even in the preview pane 3. It can be exploited before the email is viewed by the user 4. It allows attackers to capture authentication credentials remotely 5. The stolen NTLM hashes can be used in pass-the-hash attacks or cracked to reveal passwords

Remediation

  • To address this vulnerability, organizations should:
  • 1. Apply Microsoft's security update immediately (released March 2023)
  • 2. Use Microsoft's provided PowerShell script to scan for potentially malicious messages in Exchange mailboxes
  • 3. Block outbound SMB (TCP ports 445 and 139) at the network perimeter to prevent NTLM authentication to external servers
  • 4. Implement Extended Protection for Authentication and certificate-based authentication where possible
  • 5. Enable Windows Defender Credential Guard to protect NTLM credentials
  • 6. Consider disabling NTLM authentication if feasible in your environment
  • 7. Implement multi-factor authentication to mitigate the impact of credential theft
  • 8. Monitor for suspicious authentication attempts and network connections to external SMB servers

References

Industries Affected

Below is a list of industries most commonly impacted or potentially at risk based on intelligence.

Medium
Retail Trade icon
Retail Trade
Manufacturing icon
Manufacturing
Educational Services icon
Educational Services
Finance and Insurance icon
Finance and Insurance
Public Administration icon
Public Administration
Transportation and Warehousing icon
Transportation and Warehousing
Health Care and Social Assistance icon
Health Care and Social Assistance
Professional, Scientific, and Technical Services icon
Professional, Scientific, and Technical Services
Low
Mining icon
Mining
Utilities icon
Utilities
Information icon
Information
Construction icon
Construction
Wholesale Trade icon
Wholesale Trade
Real Estate Rental and Leasing icon
Real Estate Rental and Leasing
Accommodation and Food Services icon
Accommodation and Food Services
Arts, Entertainment, and Recreation icon
Arts, Entertainment, and Recreation
Management of Companies and Enterprises icon
Management of Companies and Enterprises
Agriculture, Forestry, Fishing and Hunting icon
Agriculture, Forestry, Fishing and Hunting
Other Services (except Public Administration) icon
Other Services (except Public Administration)
Administrative and Support and Waste Management and Remediation Services icon
Administrative and Support and Waste Management and Remediation Services

Focus on What Matters

See everything.Identify true risk.Proactively mitigate threats.Book a Demo

Let's talk!