SECURITY ALERT: Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Product / Version includes:

Last updated: 2024/05/22

Solution ID: KA-0014067

Category: Remove a Malware / Virus

Summary

Updated on March 28, 10:30AM US Pacific (GMT -7): Added information on Trend Vision One Risk Insights Operations Dashboard

On Tuesday, March 14, Microsoft disclosed a new Microsoft Outlook critical (CVSS3.1 9.8) privilege escalation vulnerability as part of its March Patch Tuesday drop with the official assignment of CVE-2023-23397.

What is notable about this vulnerability is that the attack complexity is rated as "Low" with no user interaction required, meaning that an attacker can attempt to exploit this vulnerability merely by sending the victim a specifically crafted email or message.

Although it was detailed that limited attacks against targeted organizations were observed, due to the relative low complexity required of this attack, it is expected that threat actors will potentially utilize this more heavily as new PoCs are released and made public.

Please note that this vulnerability is said to only impact Windows-based versions of Outlook. Non-Windows versions such as macOS, iOS, Android and the web-based versions are not said to be affected.

More background information on the vulnerability can be found in our Trend Micro Research Blog - Patch CVE-2023-23397 Immediately: What You Need to Know and Do.

Information for Trend Micro customers that highlight potential investigation tools and protection/preventative measures is listed below.

Mitigations, Trend Micro Protection, and Detection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available and is feasible. Microsoft has released a patch as part of their March 2023 Monthly Security Update (more commonly known as "Patch Tuesday").

Also, Microsoft has outlined some additional mitigations in their security bulletin that could potentially be taken, but as with any modifications of this type administrators should carefully consider the impact on other production applications and implement based on proper risk/reward analysis:

Customers can disable the WebClient service (however, note it will block all WebDAV connections including intranet).
Adding users to the Protected Users Security Group, which prevents the use if NTLM as an authentication mechanism. (Could impact applications that rely on NTLM in your environment).
Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

In addition to the formal patch, Trend Micro does have some supplementary rules, filters and detection that may help provide additional protection against potential exploits.

Preventative Rules, Filters & Detection

Trend Micro Cloud One - Workload Security and Deep Security Policy IPS Rules

Rule 1009058 - Detected Server Message Block (SMB) Outgoing Request

This rule can be configured to only block SMB Outgoing Requests to Public IP(s) to reduce impact on internal applications.

By default, this policy rule is set to Detect, and should be carefully observed if used to ensure business critical traffic is not impacted before changing to Prevent.

Trend Micro TippingPoint Filters

Filter 28471: SMB: SMBv1 Successful Protocol Negotiation
Filter 28472: SMB: SMBv2 Successful Protocol Negotiation

Please note: enabling these filters in Block mode will interrupt legitimate SMB traffic. Customers are advised to add exceptions for their Private IP address space.

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)

Starting with Trend Micro Smart Scan Pattern versions TBL 21474.296.07 / Smart Scan Agent 18.331.00, known exploits associated with this vulnerability are being detected as Trojan.Win32.CVE202323397.*

Using Trend Micro Products for Investigation

The following highlights several items that can be used by customers to investigation potential exposure to the vulnerabilities.

Trend Vision One™

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One. The following outlines some of the components of Trend Vision One that can be used for preparation and inventory:

Risk Insights Operations Dashboard

Trend Micro has added CVE-2023-23397 to its list of HIGHLY-EXPLOITABLE UNIQUE CVES located under the Risk Insights Operations Dashboard:

1. Open Trend Vision One and navigate to Risk Index > Operations Dashboard.
2. Select the Vulnerabilities square at the top.
3. Enter CVE-2023-23397 in the filter (optional).
4. Any potential detections would appear at the bottom of the screen.

Search Query

Customers may utilize the General Search Query function in Trend Vision One to do some preliminary investigation of potential exposure:

1. Open Trend Vision One and navigate to Search.
2. Select Endpoint Activity Data for Search Method.
3. Enter the following query:

dpt: 445 AND eventSubId: 204 AND processCmd: *OUTLOOK*

4. Execute the search (and save for later if desired).

5. Take note of any suspicious results and for further investigation.

6. Add to the Watchlist in Saved Queries if desired (optional).

Trend Micro Deep Discovery Inspector

Rule 4479: NTLM v1 Authentication - SMB (Request)

If NTLM v1 is configured by default, customers can use this rule to monitor attempts for outgoing NTLM handshakes. Please note this rule only detects and does not block, so it is best used as an investigative tool for follow-up.

Please continue to visit this article for updates.

Reference

Trend Micro Research Blog: Patch CVE-2023-23397 Immediately: What You Need to Know and Do
Microsoft Secuity Bulletin: CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft CVE-2023-23397 Checking Script: CSS-Exchange/CVE-2023-23397.md at a4c096e8b6e6eddeba2f42910f165681ed64adf7 · microsoft/CSS-Exchange · GitHub

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Mitigations, Trend Micro Protection, and Detection Against Exploitation

Preventative Rules, Filters & Detection

Using Trend Micro Products for Investigation

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One. The following outlines some of the components of Trend Vision One that can be used for preparation and inventory:

Please continue to visit this article for updates.

Reference

SECURITY ALERT: Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Product / Version includes:

Summary

Mitigations, Trend Micro Protection, and Detection Against Exploitation

Preventative Rules, Filters & Detection

Using Trend Micro Products for Investigation

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One. The following outlines some of the components of Trend Vision One that can be used for preparation and inventory:

Please continue to visit this article for updates.

Reference