[Security-Discuss] Zero-Day Outlook - What have you seen in the wild vulnerability (CVE-2023-23397) & exploits?

Weeks, Thomas "Tweeks" t.weeks at vt.edu
Sun Mar 19 20:25:43 EST 2023 

Thanks for the awesome info Tom!

You going to the BSides event in May?  I think they just opened up registration::
https://bsidesroa.org/

I think they're still looking for sponsors and speakers, if you know anyone. :)

--
T.Weeks

________________________________
From: Tom Casey <tom.casey at guidepointsecurity.com>
Sent: Friday, March 17, 2023 5:37 PM
To: Weeks, Thomas "Tweeks" <t.weeks at vt.edu>
Cc: security-discuss at lists.rbtc.tech <security-discuss at lists.rbtc.tech>
Subject: Re: [Security-Discuss] Zero-Day Outlook - What have you seen in the wild vulnerability (CVE-2023-23397) & exploits?

The below was released by our GRIT.  Don't know if it adds anything but if you get one thing out of it to reduce risk then it was worth it.


GuidePoint Research and Intelligence Team (GRIT) released a threat bullin on this week's patches so including it here.

Summary
On March 14th, 2023, Microsoft published security updates for 83 vulnerabilities, including nine identified as “Critical” severity. Two vulnerabilities, one “Critical” and one “Moderate” severity, have been observed under active exploitation in the wild. CVE-2023-23397, the Critical severity zero-day vulnerability, enables a Threat Actor to elevate privileges by exploiting vulnerable Microsoft Outlook instances. The Moderate severity zero-day vulnerability, CVE-2023-24880, enables a bypass of the Windows SmartScreen security feature on vulnerable Windows devices. Based on GRIT’s review of the vulnerability documentation, the following five vulnerabilities are of particular interest, based on exploitability and available information. However, administrators should review and patch all systems based on Microsoft’s recommendation.

Notable CVE Breakdown

CVE

Severity

CVSS

Attack

Vector

Attack

Complexity

Privileges

Required

User

Interaction

Exploitability

CVE-2023-23392<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=f383676f-d339-4a3b-9791-33246f613ae4&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>

Critical

9.8

Network

Low

None

None

More Likely

CVE-2023-23397<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=68a797a1-f9d1-47b4-acbf-d7f727615817&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>

Critical

9.8

Network

Low

None

None

Exploited

CVE-2023-23415<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=3bce9b41-3b76-4347-8bc5-3fa14d52931a&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>

Critical

9.8

Network

Low

None

None

More Likely

CVE-2023-23416<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=6608632a-8fad-4b01-bf05-c31b2487febb&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>

Critical

8.4

Local

Low

None

None

More Likely

CVE-2023-24880<http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=8239dbaa-8149-4a97-a1e0-2805a68f6de1&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>

Moderate

5.4

Network

Low

None

Required

Exploited

See  Microsoft’s Exploitability Index <http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=41605bd6-28f7-44ed-a1d8-30dc337f3a9c&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088>  for additional information about how Microsoft assesses the exploitability of each vulnerability.

HTTP Protocol Stack - Remote Code Execution (CVE-2023-23392)
CVE-2023-23392 is a “Critical” (CVSS: 9.8) vulnerability in Microsoft’s HTTP Protocol stack for Windows 11 and Windows Server 2022. The vulnerability requires that the binding has HTTP/3 enabled on a host using buffered input/output. As HTTP/3 is disabled by default, and support for this service only exists in Windows Server 2022 and Windows 11, the prevalence of this vulnerability is likely to be low. However, based on the low attack complexity, lack of privileges required, and lack of user interaction needed to exploit this vulnerability, Microsoft considers exploitation “More Likely.” Exploitation of this vulnerability could also be chained with CVE-2023-23410 to elevate privileges to SYSTEM on a vulnerable host, providing a successful attacker access to system files and the ability to attempt to further victimize the internal network.

Recommendations
Where patching Windows 11 and Windows Server 2022 machines is not an option, consider disabling HTTP/3 support by removing the registry keys referenced in this Microsoft Networking Blog post.

Microsoft Outlook - Elevation of Privilege (CVE-2023-23397)
CVE-2023-23397 is a “Critical” (CVSS: 9.8) elevation of privilege vulnerability affecting Outlook, Microsoft Office, and Microsoft 365 Apps on Windows hosts. This vulnerability was observed under active exploitation, including by Russia-based threat actors targeting critical infrastructure in Europe, according to the Microsoft Threat Intelligence team. This vulnerability is triggered when an attacker sends a specially crafted message which, if opened using an out of date version of Outlook, triggers a “Reminder” dialog box and an outgoing NTLM authentication to an attacker-controlled server. Using details gained from this forced authentication attempt it is trivial for a potential threat actor to authenticate as the user who opened the email against any system which accepts NTLM authentication. As this vulnerability impacts Outlook apps installed locally, Microsoft 365 online services, including Outlook Web App (OWA), are not impacted. This vulnerability is particularly concerning due to the ease of exploitation and potential impact, with plenty of users one email away from potential compromise. Since several proof of concepts for this vulnerability are already available, GRIT assesses that it is only a matter of time before threat actors begin using it in widespread and targeted phishing campaigns.

Recommendations
Microsoft strongly recommends patching this vulnerability immediately, as exploitation has already been observed. In addition to patching, administrators should add Domain Admins or other important users to the Protected Users Security Group to prevent NTLM authentication. Additionally, perimeter firewalls, VPNs, and local firewalls should be set to block SMB traffic from exiting the network. This prevents any users from sending the NTLM authentication messaged used by threat actors to elevate privileges to other services. Microsoft has released a Powershell script that defenders can use to audit their Exchange environments (on-premises or Exchange Online) for emails which attempt to exploit this vulnerability.

Windows ICMP – Remote Code Execution (CVE-2023-23415)
CVE-2023-23415 is a “Critical” (CVSS: 9.8) remote code execution vulnerability impacting the Internet Control Message Protocol (ICMP) on Windows Server 2008+ and Windows 10+. Exploitation of this vulnerability involves sending a specially crafted ICMP message to a target machine with an application bound to a raw socket. Exploitation of this vulnerability is considered “More Likely.”

Recommendations
While this vulnerability is considered “More Likely” by Microsoft, exploitation is limited to applications bound to a raw socket. Since Windows XP with Service Pack 2, the ability to send traffic over raw sockets has been restricted. Administrators should patch all vulnerable systems and review their environment for any applications designed to use raw sockets. Maintaining an inventory of applications and services utilizing these non-standard configurations can mitigate future security risks.

Windows Cryptographic Services – Remote Code Execution (CVE-2023-23416)
CVE-2023-23416 is a “Critical” (CVSS: 8.4) remote code execution vulnerability impacting the Windows Cryptographic Services in Windows Server 2012+ and Windows 10+. Exploitation requires that a target system import a malicious certificate. This could be conducted through social engineering, Search Engine Optimization (SEO), or by uploading the certificate to a service that import certificates for the target organization. Exploitation of this vulnerability is considered “More Likely.”

Recommendations
Administrators should patch immediately, as attackers are prone to conduct social engineering campaigns and abuse SEO to gain access to target networks regularly. Users should also be briefed on the risks of accepting and importing certificates from unknown entities without consulting with IT staff.

Windows SmartScreen – Security Feature Bypass (CVE-2023-24880)
CVE-2023-24880 is a “Moderate” (CVSS: 5.4) security feature bypass vulnerability impacting Windows Server 2016+ and Windows 10+ systems. This vulnerability was observed under active exploitation, which allows attackers to bypass the Windows Mark of the Web (MotW) warnings by crafting a malicious file and making the file available to a user on a vulnerable system. This MotW is used to enforce Protected View in Office applications.

Recommendations
In addition to patching vulnerable systems, users should be reminded to exercise caution while interacting with files found on the web or shared by unknown senders, as they may be part of social engineering efforts to target the users’ systems.




Tom Casey, Account Executive
GuidePoint Security LLC | Your Mission. Secured.
w (804) 767-2412   m (703) 989-0833
e tom.casey at guidepointsecurity.com<mailto:tom.casey at guidepointsecurity.com>
 Follow us!  LinkedIn<http://www.linkedin.com/company/guidepoint-security> | Twitter<https://twitter.com/GuidePointSec> | Facebook<https://www.facebook.com/GuidePointSec> | YouTube<https://www.youtube.com/channel/UCkajuS7JqEN3UGy6SXVhnfg>  |  [https://s3.amazonaws.com/gps_public/bptw_logo.png] <https://www.businesswire.com/news/home/20200506005063/en/GuidePoint-Security-Named-Magazine%E2%80%99s-Workplaces-2020>

Join GuidePoint Security for our Wednesday Webinar Series! Click here to register!<https://www.guidepointsecurity.com/upcoming-webinars/>

Confidentiality Notice: This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message. This transmission, and any attachments, may contain confidential information and work product(s). If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. Please contact us immediately by return e-mail or call (877) 889-0132<tel:(877)%2520889-0132> option 5, and destroy the original transmission and its attachments without reading or saving in any manner.



On Fri, Mar 17, 2023 at 2:45 PM Weeks, Thomas "Tweeks" <t.weeks at vt.edu<mailto:t.weeks at vt.edu>> wrote:
Anyone been hit by the new MS Outlook super critical vulnerability/exploit? - CVE-2023-23397 [cve.mitre.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3D2023-2D23397&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=qWlJ8ivi7pWB6yGID3HgtcKtyWK9p1xKtZDs8TNM20M&e=>
Info - https://securityboulevard.com/2023/03/detecting-cve-2023-23397-how-to-identify-exploitation-of-the-latest-microsoft-outlook-vulnerability/ [securityboulevard.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__securityboulevard.com_2023_03_detecting-2Dcve-2D2023-2D23397-2Dhow-2Dto-2Didentify-2Dexploitation-2Dof-2Dthe-2Dlatest-2Dmicrosoft-2Doutlook-2Dvulnerability_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=YvfDs-1uo2MqjT1M2zeSZbaNxzJVTtt6kCxRu7tiums&e=>

What's it looked like for your org?

One not-often discussed work around is that of setting up your Windows clients to block outbound port 445 traffic (scoped for only their LAN) using the Windows Advanced Firewall.
Here's an example of looking outbound ports: https://www.youtube.com/watch?v=fdqMWN2LPzc [youtube.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DfdqMWN2LPzc&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=shVZw9cM1NqE4DEkalzH26KRD6Javv7o6dSa5_KjTZ8&e=>
(allow outbound 445, but use the "Scope" function to only allow your LAN outbound network range access.. blocking everything else).

That will stop the exploit from completing.

What are you all seeing in the wild?
(I only use Exchange via OWA via Linux.. so I'm  good ;)

--
T.Weeks
Thomas "Tweeks" Weeks
Director, Technology Futures and Community Advocacy
Division of Information Technology, Virginia Tech
Cyber Range Engineer, VirginiaCyberRange.org [virginiacyberrange.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.virginiacyberrange.org_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=dYrY8E9HpVc9Dk7sH6A91FsNNQpv7tymyOwIsbY1mHc&e=>

_______________________________________________
Security-Discuss mailing list
Security-Discuss at lists.rbtc.tech
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.rbtc.tech_mailman_listinfo_security-2Ddiscuss&d=DwIGaQ&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=pWp0kz-11EBE-yV1msMqolIcoq0qU8FDx5M8xFRuCYI&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rbtc.tech/pipermail/security-discuss/attachments/20230320/871f5a6c/attachment-0001.html>

More information about the Security-Discuss mailing list