This live blog contains information regarding the Microsoft Outlook zero-day vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 16, 2023.
Update 16 March 2023
16:30 | We updated our blog about the Microsoft Outlook zero-day vulnerability with the latest information. On the 14th of March 2023 security researchers have shared technical details for exploiting the CVE-2023-23397 vulnerability.
With the publication of the technical details for exploiting the CVE-2023-23397 vulnerability, the chance of exploitation by malicious entities increases. Therefore, it is highly recommended to apply the software patches or workaround as the vulnerability is easy to exploit and likely quickly adopted by malicious entities.
The blog published by MDSEC regarding the technical details can be found here: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Update 15 March 2023
14:00 | During the patch Tuesday of March 2023, Microsoft released patches for 83 vulnerabilities. The most severe vulnerability is a privilege escalation vulnerability in Microsoft Outlook, registered as CVE-2023-23397. This vulnerability allows a remote, unauthenticated attacker to steal credentials (hash) by sending a specially crafted email.
The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
It is advised to apply the security patches as soon as possible. Microsoft is aware of active exploitation in the wild on a small amount of government, military, energy and transportation organisations. However, when exploit code becomes publicly available, it is likely that more attackers will start exploiting the vulnerability.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
During the patch Tuesday of March 2023, Microsoft released patches for 83 vulnerabilities. The most severe vulnerability is a privilege escalation vulnerability in Microsoft Outlook, registered as CVE-2023-23397. This vulnerability allows a remote, unauthenticated attacker to steal credentials (hash) by sending a specially crafted email.
The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
Potential Risk
The vulnerability CVE-2023-23397 has a CSVSS score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2023-23397 vulnerability is a privilege escalation vulnerability in Microsoft Outlook and allows an unauthenticated attacker to steal credentials (hash) by sending a specially crafted email to the victim. The vulnerability triggers automatically when the specially crafted email is retrieved and processed by the Microsoft Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
Microsoft stated there is a small amount of exploitation in the wild. However, when exploit code becomes publicly available, it is likely that more attackers will start exploiting the vulnerability.
Detail info
The vulnerability exists in all supported version of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services are not affected.
Microsoft has published patches and several workarounds. It is advised to apply any of the mitigative actions. If patching the vulnerability is not an option, it is advised to apply the workarounds given by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397. Blocking port 445 TCP outbound is a security best-practice and should be considered implementing despite this vulnerability.
It is advised to run the script published by Microsoft that checks Exchange messaging items (mail, calendar and tasks) to see whether items exist prepared to exploit the vulnerability. The script with its requirements and a step-by-step description on how to run can be found here: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
More information:
- Microsoft update-guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
- Microsoft blog: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
- Script published by Microsoft: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- MDSEC: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
