[CDP-development] TLP:GREEN - UPDATED (Vulnerability Alert Notification) CVE-2023-23397: Critical Vulnerability Identified In Outlook

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Dec 7 09:33:05 PST 2023 

Good morning,

The previous alert has been updated. Updated information has been added in red.

The Vulnerability Management team is reporting on this vulnerability due to its high visibility; we are providing this in-depth information:

MS-ISAC Advisory Number 2023-030 "Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user."

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Intelligence:
On December 4, 2023 Microsoft identified nation-state activity that is actively exploiting the vulnerability.  In addition to exploiting CVE-2023-23397, the group also seeks to employ at least 7 other publicly available exploits.  Microsoft strongly advises the patches be applied to Microsoft Outlook to mitigate the vulnerability.

How it Works:
The exploit functions by means of a specially crafted message being delivered to a user that includes an extended MAPI property for Reminders that is configured to point to a threat actor controlled UNC path.  The crafted message triggers a Net-NTLMv2 hash leak to the threat actor's server.  The user does not need to interact with the message, Outlook only needs to be running when the malicious MAPI property triggers a reminder to allow the exploitation.

Post-Exploit:
Post-exploitation actions have been observed using Net-NTLMv2 relay attacks against Exchange Servers, using the Exchange Web Services API to send additional crafted messages for further malicious attacks, and using the API to enumerate folders in a user's mailbox as well as modify permissions so that any authenticated user can access all folder content with owner privileges.

IOCS:
Organizations can review SMBClient event logging for EventIds 30800, 30803, 30806, 30804, and 31001 to monitor the ServerName field for non-trusted servers.

Additionally, Process Creation event logs may reveal the following processes used during an attempted exploit:

  *   Parent process: C:\Windows\system32\svchost.exe -k LocalService -p -s WebClient
  *   Child process: rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie <IP Address> hxxp://<Threat actor IP>/folder/sound.wav

The following registry keys may indicate that unexpected reminders were triggered for user Note or Task items if the user does not normally set reminders for such objects:

  *   HKCU\Software\Microsoft\Office\<VERSION OF OUTLOOK>\Outlook\Tasks
  *   HKCU\Software\Microsoft\Office\<VERSION OF OUTLOOK>\Outlook\Notes

Additional Resources:
Further information may be found at Microsoft's article on Guidance for Investigating Attacks Using CVE-2023-23397 at https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

More information can be found by reading Microsoft's Update Guide which is linked here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Additional information has been provided by MS-ISAC which is linked here: https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-march-14-2023_2023-030

As of March 16, 2023, the following vulnerability plugins have been released and are currently in Tenable Security Center:

PluginID                                                                                                                             Plugin Name                                                                                                  Current Severity
172607<https://www.tenable.com/plugins/nessus/172607>
Security Updates for Outlook C2R Elevation of Privilege
              Critical
172527<https://www.tenable.com/plugins/nessus/172527>
Security Updates for Outlook
              Critical


Recommended Actions:


  *   Review identified logs for unexpected or anomalous activity.
  *   Scan environments using provided Tenable Nessus plugins.
  *   Verify host has not been compromised before applying patches
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  *   Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA28E7.E4F74E20]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231207/d22a2723/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231207/d22a2723/attachment-0001.png>

More information about the CDP-development mailing list