Latest Outlook Vulnerability may be the prime bug of the year 2023
CVE-2023-23397 is a zero-day vulnerability that Microsoft recently patched in Microsoft Outlook. If exploited, this vulnerability could allow an attacker to escalate their privileges, view the victim’s Net-NTLMv2 challenge-response authentication hash, and reveal their identity.
Security experts are now saying that CVE-2023-23397 is now sufficiently harmful to turn into the bug with the greatest impact of the year. More proof-of-concept (PoC) exploits have emerged since their publication just three days ago, and since user involvement is not necessary for abuse, this development is likely to result in a snowballing of criminal interest.
According to Cyber security experts, further risks include disruption of corporate operations and company continuity, distribution of malware, breach of business emails for financial gain, and compromising critical IT systems. By delivering malicious Outlook notes or tasks to the target, the attackers can capture NTLM authentication passwords. These immediately start the attack when the Outlook client retrieves and processes them, which could result in exploitation before the email is displayed in the Preview Pane. In other words, a subject is vulnerable to an attack even if they do not read the email.
There are some alternatives for fixing the problem, as listed below if updating can not be done right away.
How to Protect Against CVE-2023-23397
According to Hornetsecurity’s Hofmann, professionals should use perimeter firewalls, local firewalls, and VPN configurations to prevent TCP 445/SMB outbound communication to the Internet from the network for those who cannot apply patches right away. This action prevents NTLM authentication signals from being sent to remote file shares, thereby resolving the CVE-2023-23397 vulnerability
To prohibit NTLM from being used as an authentication method, organizations should also add individuals to the “Protected Users Security Group” in Active Directory.
When compared to other techniques of deactivating NTLM, Broomhead claims this way streamlines troubleshooting. For high-value identities like domain managers, it is especially helpful.
Microsoft has offered a script to locate and clear up or delete Exchange communications with UNC.
Author: Harsh Vikram Shahi