Overview
Recently, NSFOCUS CERT has monitored that Microsoft has officially released a patch update, which fixes a Microsoft Outlook privilege escalation vulnerability. An unauthenticated attacker sends a specially crafted email, causing the victim to connect to an external UNC location controlled by the attacker, causing the victim’s Net-NTLMv2 hash to be disclosed to the attacker. Subsequent attackers can continue to another service and authenticate as a victim, Finally, the authority will be upgraded. In addition, Microsoft’s official tip: A crafted email sent by an attacker can be automatically triggered when retrieved and processed by the Outlook client. Currently, it has been detected that this vulnerability is being exploited in the wild, with a CVSS score of 9.8.
Microsoft Office Outlook is one of the components of the Microsoft Office Software Suite, which extends the functionality of Outlook Express included with Windows. Outlook has many features that you can use to send and receive email, manage contact information, schedule, and more.
NSFOCUS has successfully reproduced this vulnerability:
Reference link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37958
Scope of Impact
Affected version
- Microsoft Outlook 2016 (64-bit edition)
- Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
- Microsoft Outlook 2013 RT Service Pack 1
- Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2019 for 32-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Outlook 2016 (32-bit edition)
- Microsoft Office LTSC 2021 for 32-bit editions
Detection
Users can use a script provided by Microsoft to audit their Exchange servers to find mail items that may be used to exploit this vulnerability. The script link is as follows:
Mitigation
Patch update
Currently, Microsoft has officially released a security patch to fix this vulnerability for supported product versions. It is recommended that affected users enable the system to automatically update and install patches for protection.
Note: Due to network issues, computer environment issues, and other reasons, Windows Update patch updates may fail. After installing a patch, users should promptly check whether the patch has been successfully updated. Right click on the Windows logo, select “Settings”, select “Updates and Security” – “Windows Update” to view the prompts on this page, or click “View Update History” to view historical updates.
If the update patch is not successfully installed, you can directly download the offline installation package to update it. The link is as follows: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
Temporary protective measures
If a user cannot perform patch repairs normally, the following measures can be used to protect against vulnerabilities without affecting normal business:
1. Add users to protected user security groups to prevent the use of NTLM as an authentication mechanism.
Note: This operation may have some impact on applications that require NTLM.
For details, please refer to: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
2. Users can prevent TCP 445/SMB from outbound from the network by using both peripheral and local firewalls in the network and using VPN settings.
Note: This operation will prohibit sending NTLM authentication messages to remote file shares.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
