Alert - Microsoft Outlook zero-day vulnerability allowing NTLM credential theft - CVE-2023-23397

From: Canadian Centre for Cyber Security

Number: AL23-002
Date: March 15, 2023

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On March 14, 2023, Microsoft published advisories highlighting several critical vulnerabilitiesFootnote 1Footnote 2. One of those advisories, CVE-2023-23397, disclosed a vulnerability impacting Microsoft Outlook and highlighted it has been exploited in the wildFootnote 3Footnote 4. Open source has further reported that this zero-day vulnerability was exploited by sophisticated actorsFootnote 2.

CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that will cause the victim’s Outlook client to automatically connect to a Universal Naming Convention (UNC) location under the actor’s control to receive the Net-NTLMv2 user’s password hashFootnote 2. This disclosure of credentials would permit further methods of exploitationFootnote 5.

Exploitation can occur prior to the email being opened or previewed by the user. The Cyber Center can confirm successful reproduction of a payload invoking the exploit.

Recommended actions

The Cyber Centre recommends patching immediatelyFootnote 6. If that is not possible, some or all of the following mitigations and actions should be performed as quickly as possible:

  • Block TCP 445/SMB outbound from your networks to prevent inadvertent communications to the threat actor resulting from this exploit.
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanismFootnote 7.
  • Restrict the use of NTLMFootnote 8.
  • Periodically run a script provided by Microsoft to detect potentially malicious messaging items (mail, calendar and tasks)Footnote 9.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, email (contact@cyber.gc.ca) or telephone (1-833-CYBER-88 or 1-833-292-3788).

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: