What Is The Nature Of The Zero-Days?
CVE-2023-23397 – Outlook Elevation of Privilege Vulnerability Severe
From the Microsoft advisory: “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”
Previewing the email is not a requirement to trigger the attack, as it “triggers automatically when it is retrieved and processed by the Outlook client.”
Only Microsoft Outlook for Windows is affected. Outlook for Mac, iOS or Android, and Outlook on the web are not. Microsoft 365 does not support NTLM authentication and is not vulnerable.
CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability Moderate
From the Microsoft advisory: “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”
When a downloaded file is run, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file, which is applied by Mark of the Web as a security feature. If the ADS indicates ZoneID=3 (which means that the file was downloaded from the internet) the SmartScreen does a reputation check. This relies on Mark of the Web functioning properly, and bypass can prevent the ZoneID from being applied.
This is the second of two known SmartScreen vulnerabilities. CVE-2022-44698, patched in December 2022, was notably used to deliver the Magniber ransomware and Qakbot infostealer in the months prior.
Who Is Exploiting These Vulnerabilities?
It is significant that state-sponsored bad actors are utilizing these vulnerabilities to effect attacks on certain targets which may include political motivations.
“Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.”
Microsoft has provided a script to assess if your organization has been targeted:
To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.
Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.
How Can I Protect Against These Exploits?
Apply the patches as soon as possible. If this is not possible for some reason, Microsoft has provided some mitigating actions for the Outlook Zero-Day:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
No mitigating action was provided for the SmartScreen Bypass.
“Microsoft Outlook Elevation of Privilege Vulnerability – CVE-2023-23397“
“Windows SmartScreen Security Feature Bypass VulnerabilityCVE-2023-24880“
“Windows SmartScreen Security Feature Bypass Vulnerability – CVE-2022-44698“
“Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws“
“Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880)“