What is CVE-2023-23397 vulnerability?
CVE-2023-23397 is a remote code execution (RCE) vulnerability in Microsoft Outlook, first disclosed in March 2023. This vulnerability enables threat actors to exploit a privilege escalation flaw by crafting malicious emails containing a UUID link, which prompts NTLM authentication. What makes this vulnerability particularly dangerous is that it requires no user interaction, making it a severe threat to enterprise environments.
When was it discovered?
The CVE-2023-23397 vulnerability was first discovered by Microsoft’s Threat Intelligence team and disclosed on March 14, 2023. Microsoft issued an advisory detailing the vulnerability’s impact, with additional information provided by the Cybersecurity and Infrastructure Security Agency (CISA).
Affected Products & Versions
Product | Versions Affected | Fixed Versions / Patch Links |
Microsoft Outlook | Outlook 2013, Outlook 2016, Outlook 2019 |
CVE-2023-23397 technical description
At its core, CVE-2023-23397 exploits the privilege escalation pathway by leveraging manipulation of Email Extended MAPI properties. The attacker sends a malicious email with a custom property that specifies a UNC path, tricking Outlook into automatically initiating an NTLM authentication session. This behavior exposes the victim's credentials, including possible NTLMv2 hashes, to the attacker. The lack of user interaction requirement amplifies its exploitability, making it simpler for threat actors to achieve their objectives.
Tactics, Techniques & Procedures (TTPs)
Attackers leveraging CVE-2023-23397 typically use phishing campaigns to infect targets. Once the email is delivered, the malicious properties in the email prompt Outlook to contact a controlled server, enabling the retrieval of sensitive credentials.
Indicators of Compromise (IoCs)
Some known IoCs associated with CVE-2023-23397 include:
Malicious emails containing unreachable UNC paths.
Suspicious outbound NTLM authentication traffic to unknown domains or IP addresses.
Unusual activity in Extended MAPI logs.
Known Proof-of-Concepts & Exploits
Proof-of-concept (PoC) code for CVE-2023-23397 has been identified on exploit databases and GitHub repositories. These PoCs mimic the vulnerability exploitation process, demonstrating how attackers can create and execute malicious payloads affecting vulnerable systems.
How to detect CVE-2023-23397 vulnerability?
Detecting CVE-2023-23397 involves monitoring Extended MAPI properties for abnormal configurations, scanning network logs for unexpected NTLM authentication attempts, and using SIEM rules to flag suspicious activity. Organizations should focus on logs generated by Outlook clients and prioritize analysis of outbound authentication requests.
Impact & risk of CVE-2023-23397 vulnerability
The CVE-2023-23397 vulnerability poses severe risks to business operations, including credential theft, system penetration, and unauthorized access. Exploitation compromises data confidentiality, integrity, and system availability. For example, stolen NTLM hashes could lead to lateral movement or subsequent ransomware attacks.
Mitigation & remediation strategies
To mitigate CVE-2023-23397, Microsoft recommends immediately applying the security patch outlined in their advisory. Organizations should also implement strong network segmentation and configure NTLM to use more secure authentication methods. Email filtering systems and proactive security awareness training for employees can help minimize exposure.
CVE-2023-23397 Vulnerability FAQs
Protect What Matters
