CVE-2023-23397: Microsoft Office Outlook Privilege Escalation Vulnerability

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On March 14, 2023, Microsoft MSRC published a blog post [1] about a critical privilege escalation zero-day vulnerability, CVE-2023-23397, which allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. The vulnerability has a CVSS score of 9.8 (Critical) [2] and affects everything from Microsoft 365 apps for enterprise to Outlook 2013 SP1 [3].

Fortunately, Picus Labs have swiftly added simulations for CVE-2023-23397 vulnerability exploitation attacks to Picus Threat Library. In this blog, we explain how threat actors exploit the CVE-2023-23397 vulnerability.

Start Simulating Vulnerability Exploitation Attacks with a 14-day free trial of the Picus Platform

What is the CVE-2023-23397 Vulnerability?

CVE-2023-23397 is a critical zero-day vulnerability with a CVSS score of 9.8 that affects Microsoft Outlook, allowing an attacker to access a user's Net-NTLMv2 challenge-response authentication hash and impersonate the user leveraging the NTLM Relay attack technique [4]. 

On March 16, 2023, Microsoft released a PowerShell script (.ps1) to audit your Exchange server for mail items that adversaries might use to exploit this vulnerability [5], [6]. Further analysis shows that the PowerShell script particularly looks for the PidLidReminderFileParameter property inside the mail items and offers the option to “clean” it if found [7]:

try {
    if ($CleanupAction -eq "ClearItem") {
        $item.Delete( [Microsoft. Exchange. WebServices .Data.DeleteMode]::HardDelete)
    } else {
        if (-not $item. RemoveExtendedProperty ($mailInfo ["PidLidReminderFileParameter"])) . {
          Write-Host ("Failed to clear property for entry number: $entryCount, Line number: $($entryCount + 1)") 

           $invalidEntries.Add ($entryCount) 

           continue

        }

Figure 1. CVE-2023-23397 script

The definition of the corresponding property [8] shows that it manages which sound file should be played when a reminder for a mail item is triggered.

Figure 2. PidLidReminderFileParameter property definition

However, what makes this property noteworthy is that it can also accept a filename, which has the potential to be a UNC path. The significance of this lies in the fact that a UNC path can potentially trigger the NTLM authentication process.

Which Threat Actors Exploit the CVE-2023-23397 Vulnerability?

APT28 (a.k.a STRONTIUM, Sednit, Sofacy, and Fancy Bear) has been linked to Russia's military intelligence service, GRU, and exploited the CVE-2023-23397 vulnerability between April and December 2022 [9]. 

The group used malicious Outlook notes and tasks to steal NTLMv2 hashes via NTLM negotiation requests, which then prompted targeted devices to authenticate to attacker-controlled SMB shares (over TCP 445). Later, the APT group used the stolen credentials for lateral movement within the victim's networks and changed Outlook mailbox folder permissions, which enabled email exfiltration for specific accounts. 

As a result, this critical vulnerability allowed APT28 to target European organizations in the government, military, energy, and transportation sectors.

Affected Systems and Applications by the CVE-2023-23397 Vulnerability

Below, we provided a list of affected systems and applications by the Microsoft Office Outlook Privilege Escalation CVE-2023-23397 vulnerability [10].

Product

Edition

Microsoft Office LTSC 2021 

32-bit and 64-bit

Microsoft Outlook 2016

32-bit and 64-bit 

Microsoft Office 2019 

32-bit and 64-bit 

Microsoft Outlook 2013 Service Pack 1

32-bit and 64-bit 

Microsoft 365 Apps for Enterprise

64-bit

 

PoC Exploit for the Microsoft Office Outlook Privilege Escalation Vulnerability

A Proof-of-Concept (PoC) for CVE-2023-23397 has been created by MDSec, revealing the vulnerability's potential for exploitation [7]. Although Microsoft did not provide specific details on how to exploit the vulnerability, MDSec has created an Outlook MSG file with malicious properties, specifically PidLidReminderOverride and PidLidReminderFileParameter. This exploit triggers the NTLM authentication process to an IP address, regardless of whether the user selects the option to load remote images or not.

How Picus Helps Simulate Microsoft Office Outlook Privilege Escalation CVE-2023-23397 Vulnerability Exploitation Attacks?

We strongly suggest simulating Microsoft Office Outlook Privilege Escalation CVE-2023-23397 attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform

You can simulate vulnerability exploitation attacks and evaluate your defenses in a 14-day free trial of the Picus Platform. In addition to CVE-2023-23397, the platform can also test your defenses against hundreds of other vulnerabilities, including Log4Shell, Follina, and ProxyShell, in just a few minutes.

Picus Threat Library includes the following threats for Microsoft Office Outlook Privilege Escalation CVE-2023-23397 attacks.

Threat ID

Threat Name

Attack Module

89500

Microsoft Office Outlook Privilege Escalation Vulnerability Threat

Network Infiltration

95854

Microsoft Office Outlook Privilege Escalation Vulnerability Threat

E-mail Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397. [Accessed: Mar. 17, 2023]

[2] “NVD - CVE-2023-23397.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-23397. [Accessed: Mar. 17, 2023]

[3] T. Redmond, “Outlook Elevation of Privilege Vulnerability Leaks Credentials via NTLM,” Practical 365, Mar. 15, 2023. [Online]. Available: https://practical365.com/cve-2023-23397-ntlm-vulnerability/. [Accessed: Mar. 17, 2023]

[4] C. Talos, “Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild,” Cisco Talos Blog, Mar. 15, 2023. [Online]. Available: https://blog.talosintelligence.com/outlook-privilege-escalation-vulnerability-cve-2023-23397/. [Accessed: Mar. 17, 2023]

[5] “CSS-Exchange/CVE-2023-23397.md at a4c096e8b6e6eddeba2f42910f165681ed64adf7 · microsoft/CSS-Exchange,” GitHub. [Online]. Available: https://github.com/microsoft/CSS-Exchange. [Accessed: Mar. 17, 2023]

[6] “CVE-2023-23397 script.” [Online]. Available: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/. [Accessed: Mar. 17, 2023]

[7] “Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability,” MDSec, Mar. 14, 2023. [Online]. Available: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/. [Accessed: Mar. 17, 2023]

[8] “Website.” [Online]. Available: https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/pidlidreminderfileparameter-canonical-property

[9] Surur, “Microsoft Patches Zero-Day Flaw in Outlook Exploited by Russian Hackers,” Mar. 16, 2023. [Online]. Available: https://www.bigtechwire.com/2023/03/16/microsoft-patches-zero-day-flaw-in-outlook-exploited-by-russian-hackers/. [Accessed: Mar. 17, 2023]

[10] KS Threat Research, “CVE-2023-23397 – Microsoft Outlook Privilege Elevation Critical Vulnerability,” Kudelski Security Research, Mar. 15, 2023. [Online]. Available: https://research.kudelskisecurity.com/2023/03/15/cve-2023-23397-microsoft-outlook-privilege-elevation-critical-vulnerability/. [Accessed: Mar. 17, 2023]