Critical Privilege Escalation Vulnerability in Microsoft Outlook for Windows

Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397

Threat ID:: CC-4282
Threat Severity:: High
Threat Vector:: Vulnerability
Published:: 15 March 2023 9:01 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397

Affected platforms

The following platforms are known to be affected:

Microsoft Outlook

Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 RT Service Pack 1

Microsoft Office

Microsoft Office Long-Term Servicing Channel (LTSC) 2021 for 64-bit editions
Microsoft Office Long-Term Servicing Channel (LTSC) 2021 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for 32-bit editions

Microsoft 365 Apps for enterprise

Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft 365 Apps for Enterprise for 32-bit Systems

Threat details

Introduction

Microsoft has released security updates for a critical zero-day vulnerability in Outlook, Office, and Microsoft 365 Apps for Enterprise known as CVE-2023-23397. Microsoft reports knowledge of targeted exploitation of this privilege escalation vulnerability that allows for new technology LAN manager (NTLM) credential theft. No user interaction is required, and exploitation could occur before a message is viewed in the preview pane.

CVE-2023-23397 can be exploited when reminders trigger on a malicious message with the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property configured to a universal naming convention (UNC) path of an attacker-controlled server message block (SMB) share.

An unauthenticated, remote attacker could send specially crafted messages that would cause a connection to an external attacker-controlled SMB server, leaking the NTLM hash of the user. The attacker could then relay the stolen NTLM hash to another service and authenticate with that user's level of privilege.

Targeted exploitation of CVE-2023-23397

Microsoft has reported exploitation of this vulnerability in limited, targeted attacks.

Remediation advice

Affected organisations are required to read Microsoft's guidance for Microsoft Outlook Elevation of Privilege Vulnerability and apply the relevant updates as soon as practicable.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

Last edited: 15 March 2023 9:01 am