Preventing the Exploitation of CVE-2023-23397

2 min. readlast update: 03.20.2023

Link to Microsoft Update Guide: CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability

What is CVE-2023-23397?

CVE-2023-23397 is a vulnerability in Microsoft Outlook. The exploit is triggered upon the receipt of a malicious email with overdue tasks or calendar events and is executed before a user is required to interact with it. This type of attack, known as a SMB Relay Attack, works by stealing NTLM hashes from a victim's system, tricking the victim's system into connecting to an attacker-controlled SMB server, and leaking the NTLM hash (a type of password hash used by Microsoft Windows operating systems to authenticate users) in the process. 

Threat actors can use an NTLM hash in various ways to gain unauthorized access to systems or data, such as:

  • Pass-the-Hash Attacks: An attacker can use the stolen NTLM hash to authenticate as the victim on other systems without knowing the victim's password. This type of attack is called a "pass-the-hash" attack and is often used to gain access to systems or data that the victim has access to.  
  • Brute-Force Attacks: An attacker can use the stolen NTLM hash in a brute-force attack to try to guess the victim's password. If the password is weak, the attacker can use it to gain access to the victim's accounts or systems.

ThreatLocker Recommendations 

Although we have not replicated CVE-2023-23397, we understand how the exploit takes place and we recommend Ringfencing Office and making your internet interaction more granular by:

  • Allowing http Port 80 and https Port 443 [Web traffic]
  • Denying Port 445 [SMB]
  • Allowing Port 7680 [Windows Updates] 

Common Mitigations 

  1. Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism.  
  2. Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings.  
  3. Update to the latest Microsoft Patches  
  4. Use the PowerShell script published by Microsoft (linked below) to check the affected Exchange servers for any indicators of an attack.

Link to suggested PowerShell script released by Microsoft:

Was this article helpful?