Update March 21, 2023: To aid defenders trying to detect and mitigate this vulnerability, we are providing a couple of additional resources. First, we are providing a ClamAV signature that detects this threat — the rule can be found on our GitHub here and can be leveraged anywhere ClamAV signatures are supported. We are also working to provide some resources to ESA customers related to this vulnerability. There is a filter on our GitHub (created by Bartosz Kozak) that can be applied as a filter using these instructions.

Please note that filters can slow down your inbox, so please use caution when applying. If the ESA Administrator would prefer to rely on Cisco Secure Endpoint + Secure Malware Analytics integration to avoid performance impacts that option is also available. That does require customers to add Word.Wizard.8(.wiz). to the File Reputation and analysis services. More information about File Reputation and Analysis Services is available here.

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Microsoft released a patch for the privilege escalation vulnerability on Tuesday as part of its monthly security update. Along with the patch, Microsoft released a security advisory detailing the targeted, but limited attacks they saw leveraging this particular vulnerability.

Microsoft subsequently assessed that the activity was associated with Russian based actors and used in limited, targeted attacks against a small number of organizations. The Computer Emergency Response Team of Ukraine first reported the vulnerability to Microsoft.

CVE-2023-23397 does not affect non-Windows versions of Outlook such as apps for Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services. However, the CVSS attack complexity is rated “Low”. An attacker can exploit this vulnerability simply by sending the victim a specially crafted email. The vulnerability is triggered when the Outlook client retrieves and processes the message. According to Microsoft, “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

As of Wednesday evening, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Users should implement the patch as soon as possible. Additionally, Talos has released Snort rules 61478 and 61479, and Snort 3 signature 300464 to detect the exploitation of this vulnerability.

Vulnerability details

CVE-2023-23397 affects all Microsoft Outlook products on the Windows operating system. It is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message, calendar invite, or task containing the extended MAPI property “PidLidReminderFileParameter.”

The “PidLidReminderFileParameter” property specifies the “filename of the sound that a client should play when the reminder for that object becomes overdue.” Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

Mitigations

The ideal course of action to address this vulnerability is to install the patch provided by Microsoft. If, for some reason, your organization cannot apply this particular patch, Microsoft also provided a few mitigation options including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network. For full details, see the advisory linked above.

Microsoft also released a script intended to help administrators audit their Exchange server for messaging items (mail, calendar and tasks) that have a PidLidReminderFileParameter property populated with a Universal Naming Convention (UNC) path.

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) does not have out of the box support for this particular vulnerability, however detection is available leveraging the advanced custom detection capabilities. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2023-23397
SIDs:
Snort 3: 300464
Snort 2: 61478-61479

ClamAV:
Win.Malware.CVE_2023_23397-9993083-0