On March 14th, a new man in the middle vulnerability was announced. While it certainly wasn't the first of its kind or the last the way information about the update came to light and the fragmented responses of organizations worldwide concern me. It's only going to get worse.
## Lets discuss CVE-2023-23397
This vulnerability is HIGHLY exploitable for any organization using the OUTLOOK client. Attackers seeking to exploit this vulnerability do so by crafting a specialized email with an extended [MAPI property](https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/mapi-property-overview) containing a UNC path to an SMB Share on an external network.
>Ideally your organization doesn't allow Port 445 external to your network, due to the extensive usage of the port for Ransomware. However, this DOESN'T mean your users home networks are also preventing access, or monitoring this access.
The result of this attack vector is an attempt to authenticate against any service supporting NTLM authentication.
### Scope of Impact
>All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
> [Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center](https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/)
The scope of impact for this vulnerability is extensive. Effectively any organization utilizing Outlook and Microsoft Exchange (Online or otherwise) is at risk. For clarity, every windows operating system using an unpatched version of Outlook is a risk.
The CVSS score for this vulnerability is 9.8. If your organization uses Exchange, online or On-Prem, and uses windows devices, your organization is at risk and has been at risk for months. This vulnerability must not only be patched but also investigated.
>Many organizations discount the importance of the investigation step, and have only focused on the patching component. See later in this article on the ongoing threat.
The quickest mitigation to this vulnerability is installing the newest Office version. Depending on your organization's patching process, this may be easy or difficult.
You can implement additional protections depending on your organization's infrastructure. Some considerations may include the following:
- Are you Cloud Only?
- Do you need to allow NTLM?
- Are you On-Prem Only?
- Have you hardened NTLM and implemented protected user groups?
- Are you Hybrid?
- Have you implemented both of the above considerations?
- Do you allow remote work?
- Do you properly manage and monitor identities with behavior-based monitoring?
For companies who utilize the C2R version of office, and manage patching via Intune, forcing updates may be challenging.
One possible solution would be to use Intune Script and the code from the team at PatchTuesday.
### Chasing Data
In the event you have Defender ATP, you can use KQL to help find machines still at risk for the CVE in your environment using:
| where CveId in ("CVE-2023-23397")
| project DeviceName,DeviceId,CveId, SoftwareVendor,SoftwareName
Keep in mind you may want to filter out data from outdated machines.
## The ongoing threat
On March 24th, Microsoft released a complete threat guide on assessing if a user was compromised by threat actors exploiting the existing vulnerability. Organizations must realize, understand and accept this vulnerability is not over just by applying a patch.
>Understanding the nature and cost of a persistent threat is where most organizations will need help. Security always has a price. When the remediation is a simple, straightforward "patch machines XYZ to version 123 of software YYY," the cost of this action is clear and typically already paid for by having a team who executes patch management. Patch management is a known motion to the business. Organizations in the 500 - 10K endpoint space are less likely to have the required resources when the cost is ongoing vigilance and deep inspection of logs.
[Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/)
Investigating these attacks takes time and, for many organizations, will feel like a witch hunt. Unfortunately, this is the true cost of security, constant neverending vigilance.
It's not pretty; it's not 'the new hotness'; it's a grind, a slog through thousands of mailboxes and hundreds of thousands of event logs.
Unfortunately, this type of work is hard to market. Its importance is only remembered once it's too late, causing security teams and organizations worldwide to have a consistent glaring weakness.
>Microsoft has traced evidence of potential exploitation of this vulnerability as early as April 2022
>[Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/)
This means attackers, potentially could have been in your systems for 12 months, and at this point they could have established multiple layers of persistance.
I fully expect this vulnerability to have a high degree of impact over the next year.