May 11, 2023
Previously Patched Microsoft Outlook Zero-Day Can be Bypassed if New Update is not Applied
Microsoft’s May 2023 security update includes a patch for a zero-day vulnerability that allows threat actors to easily bypass a previous patch issued in March for a critical privilege-escalation zero-day in Outlook that threat actors, including Russian APTs, exploited for almost a year before it was resolved. The original exploit, tracked as CVE-2023-23397, provides threat actors with a way to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server. While Microsoft addressed the original issue with a patch in March, a security researcher from Akamai analyzing the update found another issue that allowed him to bypass the patch completely by adding just a single character.
Microsoft assigned a separate identifier for the new zero-day, CVE-2023-29324, and issued a patch for it in the May 2023 Patch Tuesday update. CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the original Outlook vulnerability ineffective, researchers at Akamai say. “The vulnerability is easily triggered, as [it] doesn't require any special expertise," says Ben Barnea, the researcher at Akamai who discovered the new exploit. “In fact, there are many PoCs available on the Internet for the original Outlook vulnerability, and they can be easily adapted to use the new bypass.” To defend against this exploit, Microsoft recommends installing patches for both CVE-2023-23397 and CVE-2023-29324, respectively. Given its low complexity, ease of exploitability, Members using Outlook are encouraged to prioritize addressing this vulnerability and patch accordingly. Read the original technical analysis at Akamai here or a related article at SecurityWeek.
March 21, 2023
Dark Reading published an article covering CVE-2023-23397, a recently patched zero-day vulnerability in Microsoft Outlook that allows for privilege escalation and user impersonation. Cyber threat actors have already been confirmed to be utilizing this exploit in their attacks and additional proof of concept exploits have been publicized, only increasing the attractiveness of this vulnerability in the eyes of criminals. What makes this exploit so dangerous is it’s ease of deployment, as attackers can steal NTLM authentication hashes by sending Outlook notes or tasks to their target, meaning a victim doesn’t have to open anything in order to be attacked. Because of these factors and the extremely widespread use of Outlook, members are highly encouraged to prioritize patching this vulnerability. If your organization is not in a position to rapidly patch, the article suggests “administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings” and “add users to the "Protected Users Security Group" in Active Directory to prevent NTLM as an authentication mechanism.” Read more at Dark Reading.
Additional Resources Regarding CVE-2023-23397