CVE-2023–23397
2 weeks ago, a zero-day vulnerability is released. This vulnerability affects Microsoft Outlook/365, and uses port 445. It targets NTLMv2 hashes on computers.
The vulnerability is interesting since it needs no user interaction. The level of this vulnerability is critical since domain credentials are in danger.
Lets dive into a little more.
Who are affected, who are not affected?
All versions of Microsoft Outlook are affected on computers. Also Microsoft 365 is impacted again on Computers.
On the phones or other devices such as Android, IOS, Mac; Microsoft Outlook and Microsoft 365 are not in danger.
As you can see the above video, stealing ntlm hashes is not diffucult by this way.
On enterprise environment, generally, port 445 is closed by using perimeter devices. However, since remote working or bring your own device is very popular on those days, NTLM hashes on computer cache can be stolen by this way.
I dont want to talk about privileged accounts such as t1, t2 , domain admins or service accounts. They should be in the protected group on AD if they have email accounts.
What is the Solution?
Microsoft releases related patches. Also bu using the following script, we can check Exchange messaging items ( mail, calender, and tasks) to see whether a property is populated with a nonempty string value.
After that we can determine the item is malicious or not.
By using this script, admin can clean up the malicious part or even through the item entirely.
https://github.com/microsoft/CSS-Exchange/releases/latest/download/CVE-2023-23397.ps1
Also, you can look at the link below to see the remedition:
Also, suspicious victims should change their AD passwords. Moreover, port 445 should be closed if it is not too much necessary.
You can look links below if you are interested in.
https://www.huntress.com/blog/everything-we-know-about-cve-2023-23397
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
