[Security-Discuss] Zero-Day Outlook - What have you seen in the wild vulnerability (CVE-2023-23397) & exploits?

Tom Casey tom.casey at guidepointsecurity.com
Fri Mar 17 16:37:34 EST 2023


The below was released by our GRIT.  Don't know if it adds anything but if
you get one thing out of it to reduce risk then it was worth it.


GuidePoint Research and Intelligence Team (GRIT) released a threat bullin
on this week's patches so including it here.

*Summary*
On March 14th, 2023, Microsoft published security updates for 83
vulnerabilities, including nine identified as “Critical” severity. Two
vulnerabilities, one “Critical” and one “Moderate” severity, have been
observed under active exploitation in the wild. CVE-2023-23397, the
Critical severity zero-day vulnerability, enables a Threat Actor to elevate
privileges by exploiting vulnerable Microsoft Outlook instances. The
Moderate severity zero-day vulnerability, CVE-2023-24880, enables a bypass
of the Windows SmartScreen security feature on vulnerable Windows devices.
Based on GRIT’s review of the vulnerability documentation, the following
five vulnerabilities are of particular interest, based on exploitability
and available information. However, administrators should review and patch
all systems based on Microsoft’s recommendation.

Notable CVE Breakdown

*CVE*

*Severity*

*CVSS*

*Attack*

*Vector*

*Attack*

*Complexity*

*Privileges*

*Required*

*User*

*Interaction*

*Exploitability*

*CVE-2023-23392
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=f383676f-d339-4a3b-9791-33246f613ae4&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>*

Critical

9.8

Network

Low

None

None

More Likely

*CVE-2023-23397
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=68a797a1-f9d1-47b4-acbf-d7f727615817&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>*

Critical

9.8

Network

Low

None

None

Exploited

*CVE-2023-23415
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=3bce9b41-3b76-4347-8bc5-3fa14d52931a&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>*

Critical

9.8

Network

Low

None

None

More Likely

*CVE-2023-23416
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=6608632a-8fad-4b01-bf05-c31b2487febb&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>*

Critical

8.4

Local

Low

None

None

More Likely

*CVE-2023-24880
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=8239dbaa-8149-4a97-a1e0-2805a68f6de1&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>*

Moderate

5.4

Network

Low

None

Required

Exploited

See  Microsoft’s Exploitability Index
<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=41605bd6-28f7-44ed-a1d8-30dc337f3a9c&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>
for
additional information about how Microsoft assesses the exploitability of
each vulnerability.

*HTTP Protocol Stack - Remote Code Execution (CVE-2023-23392)*
CVE-2023-23392 is a “Critical” (CVSS: 9.8) vulnerability in Microsoft’s
HTTP Protocol stack for Windows 11 and Windows Server 2022. The
vulnerability requires that the binding has HTTP/3 enabled on a host using
buffered input/output. As HTTP/3 is disabled by default, and support for
this service only exists in Windows Server 2022 and Windows 11, the
prevalence of this vulnerability is likely to be low. However, based on the
low attack complexity, lack of privileges required, and lack of user
interaction needed to exploit this vulnerability, Microsoft considers
exploitation “More Likely.” Exploitation of this vulnerability could also
be chained with CVE-2023-23410 to elevate privileges to SYSTEM on a
vulnerable host, providing a successful attacker access to system files and
the ability to attempt to further victimize the internal network.

Recommendations
Where patching Windows 11 and Windows Server 2022 machines is not an
option, consider disabling HTTP/3 support by removing the registry keys
referenced in this Microsoft Networking Blog post.

*Microsoft Outlook - Elevation of Privilege (CVE-2023-23397)*
CVE-2023-23397 is a “Critical” (CVSS: 9.8) elevation of privilege
vulnerability affecting Outlook, Microsoft Office, and Microsoft 365 Apps
on Windows hosts. This vulnerability was observed under active
exploitation, including by Russia-based threat actors targeting critical
infrastructure in Europe, according to the Microsoft Threat Intelligence
team. This vulnerability is triggered when an attacker sends a specially
crafted message which, if opened using an out of date version of Outlook,
triggers a “Reminder” dialog box and an outgoing NTLM authentication to an
attacker-controlled server. Using details gained from this forced
authentication attempt it is trivial for a potential threat actor to
authenticate as the user who opened the email against any system which
accepts NTLM authentication. As this vulnerability impacts Outlook apps
installed locally, Microsoft 365 online services, including Outlook Web App
(OWA), are not impacted. This vulnerability is particularly concerning due
to the ease of exploitation and potential impact, with plenty of users one
email away from potential compromise. Since several proof of concepts for
this vulnerability are already available, GRIT assesses that it is only a
matter of time before threat actors begin using it in widespread and
targeted phishing campaigns.

Recommendations
Microsoft strongly recommends patching this vulnerability immediately, as
exploitation has already been observed. In addition to patching,
administrators should add Domain Admins or other important users to the
Protected Users Security Group to prevent NTLM authentication.
Additionally, perimeter firewalls, VPNs, and local firewalls should be set
to block SMB traffic from exiting the network. This prevents any users from
sending the NTLM authentication messaged used by threat actors to elevate
privileges to other services. Microsoft has released a Powershell script
that defenders can use to audit their Exchange environments (on-premises or
Exchange Online) for emails which attempt to exploit this vulnerability.

*Windows ICMP – Remote Code Execution (CVE-2023-23415)*
CVE-2023-23415 is a “Critical” (CVSS: 9.8) remote code execution
vulnerability impacting the Internet Control Message Protocol (ICMP) on
Windows Server 2008+ and Windows 10+. Exploitation of this vulnerability
involves sending a specially crafted ICMP message to a target machine with
an application bound to a raw socket. Exploitation of this vulnerability is
considered “More Likely.”

Recommendations
While this vulnerability is considered “More Likely” by Microsoft,
exploitation is limited to applications bound to a raw socket. Since
Windows XP with Service Pack 2, the ability to send traffic over raw
sockets has been restricted. Administrators should patch all vulnerable
systems and review their environment for any applications designed to use
raw sockets. Maintaining an inventory of applications and services
utilizing these non-standard configurations can mitigate future security
risks.

*Windows Cryptographic Services – Remote Code Execution (CVE-2023-23416)*
CVE-2023-23416 is a “Critical” (CVSS: 8.4) remote code execution
vulnerability impacting the Windows Cryptographic Services in Windows
Server 2012+ and Windows 10+. Exploitation requires that a target system
import a malicious certificate. This could be conducted through social
engineering, Search Engine Optimization (SEO), or by uploading the
certificate to a service that import certificates for the target
organization. Exploitation of this vulnerability is considered “More
Likely.”

Recommendations
Administrators should patch immediately, as attackers are prone to conduct
social engineering campaigns and abuse SEO to gain access to target
networks regularly. Users should also be briefed on the risks of accepting
and importing certificates from unknown entities without consulting with IT
staff.

*Windows SmartScreen – Security Feature Bypass (CVE-2023-24880)*
CVE-2023-24880 is a “Moderate” (CVSS: 5.4) security feature bypass
vulnerability impacting Windows Server 2016+ and Windows 10+ systems. This
vulnerability was observed under active exploitation, which allows
attackers to bypass the Windows Mark of the Web (MotW) warnings by crafting
a malicious file and making the file available to a user on a vulnerable
system. This MotW is used to enforce Protected View in Office applications.

Recommendations
In addition to patching vulnerable systems, users should be reminded to
exercise caution while interacting with files found on the web or shared by
unknown senders, as they may be part of social engineering efforts to
target the users’ systems.




*Tom Casey,* Account Executive
*GuidePoint Security LLC* | Your Mission. Secured.
*w* (804) 767-2412   *m* (703) 989-0833
*e* tom.casey at guidepointsecurity.com
 Follow us!  LinkedIn <http://www.linkedin.com/company/guidepoint-security>
 | Twitter <https://twitter.com/GuidePointSec> | Facebook
<https://www.facebook.com/GuidePointSec> | YouTube
<https://www.youtube.com/channel/UCkajuS7JqEN3UGy6SXVhnfg>  |
<https://www.businesswire.com/news/home/20200506005063/en/GuidePoint-Security-Named-Magazine%E2%80%99s-Workplaces-2020>

Join GuidePoint Security for our Wednesday Webinar Series! Click here to
register! <https://www.guidepointsecurity.com/upcoming-webinars/>

Confidentiality Notice: This communication constitutes an electronic
communication within the meaning of the Electronic Communications Privacy
Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the
recipient intended by the sender of this message. This transmission, and
any attachments, may contain confidential information and work product(s).
If you are not the intended recipient, any disclosure, copying,
distribution or use of any of the information contained in or attached to
this transmission is STRICTLY PROHIBITED. Please contact us immediately by
return e-mail or call (877) 889-0132 <(877)%2520889-0132> option 5, and
destroy the original transmission and its attachments without reading or
saving in any manner.



On Fri, Mar 17, 2023 at 2:45 PM Weeks, Thomas "Tweeks" <t.weeks at vt.edu>
wrote:

> Anyone been hit by the new MS Outlook super critical
> vulnerability/exploit? - CVE-2023-23397 [cve.mitre.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3D2023-2D23397&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=qWlJ8ivi7pWB6yGID3HgtcKtyWK9p1xKtZDs8TNM20M&e=>
> Info - https://securityboulevard.com/2023/03/detecting-cve-2023-23397-how-to-identify-exploitation-of-the-latest-microsoft-outlook-vulnerability/
> [securityboulevard.com]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__securityboulevard.com_2023_03_detecting-2Dcve-2D2023-2D23397-2Dhow-2Dto-2Didentify-2Dexploitation-2Dof-2Dthe-2Dlatest-2Dmicrosoft-2Doutlook-2Dvulnerability_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=YvfDs-1uo2MqjT1M2zeSZbaNxzJVTtt6kCxRu7tiums&e=>
>
> What's it looked like for your org?
>
> One not-often discussed work around is that of setting up your Windows
> clients to block outbound port 445 traffic (scoped for only their LAN)
> using the Windows Advanced Firewall.
> Here's an example of looking outbound ports: https://www.youtube.com/watch?v=fdqMWN2LPzc
> [youtube.com]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DfdqMWN2LPzc&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=shVZw9cM1NqE4DEkalzH26KRD6Javv7o6dSa5_KjTZ8&e=>
>
> (allow outbound 445, but use the "Scope" function to only allow your LAN
> outbound network range access.. blocking everything else).
>
> That will stop the exploit from completing.
>
> What are you all seeing in the wild?
> (I only use Exchange via OWA via Linux.. so I'm  good ;)
>
> --
>
> *T.Weeks *
>
> *Thomas "Tweeks" Weeks *
> *Director, Technology Futures and Community Advocacy*
>
> *Division of Information Technology, Virginia Tech *
>
> *Cyber Range Engineer, VirginiaCyberRange.org [virginiacyberrange.org]
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.virginiacyberrange.org_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=dYrY8E9HpVc9Dk7sH6A91FsNNQpv7tymyOwIsbY1mHc&e=>
>    *
>
> _______________________________________________
> Security-Discuss mailing list
> Security-Discuss at lists.rbtc.tech
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.rbtc.tech_mailman_listinfo_security-2Ddiscuss&d=DwIGaQ&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=pWp0kz-11EBE-yV1msMqolIcoq0qU8FDx5M8xFRuCYI&e=
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rbtc.tech/pipermail/security-discuss/attachments/20230317/221e1233/attachment-0001.html>


More information about the Security-Discuss mailing list