CVE-2023-23397: An Email Can Steal Your Windows Credentials
CVE-2023-23397 is a critical privilege escalation vulnerability in Microsoft Outlook that allows for the exfiltration of NTLM authentication hashes via a specially crafted email. This flaw is exploited without any user interaction and raises significant security concerns for all versions of Outlook for Windows.
Technical Details
The vulnerability exploits the PidLidReminderFileParameter property in Outlook, allowing an attacker to insert a UNC path to an SMB share they control. When Outlook processes the message containing this path, it attempts to connect to the SMB share, resulting in the leakage of the user’s Net-NTLMv2 hashes.
These hashes can then be used for NTLM relay attacks or cracking attempts to obtain the plaintext credentials.
Attack Method
The attack is carried out by sending an email containing an invitation or a task with the modified PidLidReminderFileParameter property to include a UNC path to an attacker-controlled SMB server.
When the Outlook client processes this email, it initiates a connection to the SMB share, disclosing the user’s authentication hashes without requiring any interaction from the user.
Impact and Mitigation
The impact of this vulnerability is substantial, affecting all versions of Microsoft Outlook for Windows. It allows for privilege escalation and credential theft without user interaction, making it a prime target for attackers. Microsoft has identified targeted and limited exploitations by actors based in Russia, particularly against Ukrainian infrastructure.
To mitigate this vulnerability, Microsoft recommends the immediate application of the security patch released. If patching quickly is not possible, Microsoft suggests adding high-privilege accounts to the Protected Users group and blocking outbound SMB connections. Detection scripts for messages exploiting the vulnerability and outbound SMB connections are also provided to assist in auditing and detecting exploitation attempts.
