On Tuesday, March 14, Microsoft disclosed a new Microsoft Outlook critical (CVSS3.1 9.8) privilege escalation vulnerability as part of its March Patch Tuesday drop with the official assignment of CVE-2023-23397.
What is notable about this vulnerability is that the attack complexity is rated as "Low" with no user interaction required, meaning that an attacker can attempt to exploit this vulnerability merely by sending the victim a specifically crafted email or message.
Although it was detailed that limited attacks against targeted organizations were observed, due to the relative low complexity required of this attack, it is expected that threat actors will potentially utilize this more heavily as new PoCs are released and made public.
Please note that this vulnerability is said to only impact Windows-based versions of Outlook. Non-Windows versions such as macOS, iOS, Android and the web-based versions are not said to be affected.
More background information on the vulnerability can be found in our Trend Micro Research Blog - Patch CVE-2023-23397 Immediately: What You Need to Know and Do.
Information for Trend Micro customers that highlight potential investigation tools and protection/preventative measures is listed below.
Mitigations, Trend Micro Protection, and Detection Against ExploitationFirst and foremost, it is always highly recommended that users apply the vendor's patches when they become available and is feasible. Microsoft has released a patch as part of their March 2023 Monthly Security Update (more commonly known as "Patch Tuesday").
Also, Microsoft has outlined some additional mitigations in their security bulletin that could potentially be taken, but as with any modifications of this type administrators should carefully consider the impact on other production applications and implement based on proper risk/reward analysis:
- Customers can disable the WebClient service (however, note it will block all WebDAV connections including intranet).
- Adding users to the Protected Users Security Group, which prevents the use if NTLM as an authentication mechanism. (Could impact applications that rely on NTLM in your environment).
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
In addition to the formal patch, Trend Micro does have some supplementary rules, filters and detection that may help provide additional protection against potential exploits.
Preventative Rules, Filters & DetectionTrend Micro Cloud One - Workload Security and Deep Security Policy IPS Rules
- Rule 1009058 - Detected Server Message Block (SMB) Outgoing Request
By default, this policy rule is set to Detect, and should be carefully observed if used to ensure business critical traffic is not impacted before changing to Prevent.
Trend Micro TippingPoint Filters
- Filter 28471: SMB: SMBv1 Successful Protocol Negotiation
- Filter 28472: SMB: SMBv2 Successful Protocol Negotiation
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)
- Starting with Trend Micro Smart Scan Pattern versions TBL 21474.296.07 / Smart Scan Agent 18.331.00, known exploits associated with this vulnerability are being detected as Trojan.Win32.CVE202323397.*
Using Trend Micro Products for Investigation
The following highlights several items that can be used by customers to investigation potential exposure to the vulnerabilities.
Trend Vision One™
Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One. The following outlines some of the components of Trend Vision One that can be used for preparation and inventory:
Risk Insights Operations Dashboard
Trend Micro has added CVE-2023-23397 to its list of HIGHLY-EXPLOITABLE UNIQUE CVES located under the Risk Insights Operations Dashboard:
1. Open Trend Vision One and navigate to Risk Index > Operations Dashboard.
2. Select the Vulnerabilities square at the top.
3. Enter CVE-2023-23397 in the filter (optional).
4. Any potential detections would appear at the bottom of the screen.
Customers may utilize the General Search Query function in Trend Vision One to do some preliminary investigation of potential exposure:
1. Open Trend Vision One and navigate to Search.
2. Select Endpoint Activity Data for Search Method.
3. Enter the following query:
dpt: 445 AND eventSubId: 204 AND processCmd: *OUTLOOK*
4. Execute the search (and save for later if desired).
5. Take note of any suspicious results and for further investigation.
6. Add to the Watchlist in Saved Queries if desired (optional).
Trend Micro Deep Discovery Inspector
- Rule 4479: NTLM v1 Authentication - SMB (Request)
Please continue to visit this article for updates.
- Trend Micro Research Blog: Patch CVE-2023-23397 Immediately: What You Need to Know and Do
- Microsoft Secuity Bulletin: CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
- Microsoft CVE-2023-23397 Checking Script: CSS-Exchange/CVE-2023-23397.md at a4c096e8b6e6eddeba2f42910f165681ed64adf7 · microsoft/CSS-Exchange · GitHub