The Outlook vulnerability CVE-2023-23397 is currently being actively exploited. This is particularly critical as exploitation is possible without user interaction. By exploiting the vulnerability, attackers can obtain NTLM hashes of the user and possibly use them for subsequent attacks. To exploit the vulnerability, it is sufficient to send a prepared e-mail or a calendar invitation to the user, which triggers a reminder and plays a user-defined sound for the reminder. Here is an example:
For the reminder, however, it is not a local WAV file that Outlook should play, but a path to a server of the attacker on the Internet, for example like this:
At the reminder time (at 0 minutes immediately), Outlook now tries to reach the server via SMB on the Internet. If the attacker's server responds and requests the authentication of the client, Outlook sends the NTLM hash to the attacker. Further details and a demonstration can be found here:
As mentioned at the beginning, this vulnerability is being actively exploited, so action must be taken as quickly as possible:
Block port 445 (SMB) on the perimeter firewall
All unused ports on the perimeter firewall should actually be closed, but unfortunately there is often a configuration where only the necessary ports are opened from the outside to the inside, but all ports and protocols are allowed from the inside to the outside. This is often the case with inexpensive routers, which are often used in the home office. Port 445 to the Internet is hopefully already blocked on the company's perimeter firewall, if not then it must be implemented.
Zusätzlich muss man nun aber auch die vielen Home Office Nutzer denken. Wenn möglich sollte auch hier Port 445 in Richtung Internet gesperrt werden. Wenn es hier aber keine zentrale Verwaltung für die Home Office Firewalls oder Router gibt, dann sollte hier jetzt nicht zu viel Zeit investiert werden, sondern lieber das verfügbare Sicherheitsupdate installiert werden oder die Benutzerkonten zur Gruppe „Protected Users“ hinzugefügt werden.
Benutzerkonten im HomeOffice zur Gruppe „Protected Users“ hinzufügen
Damit der Client erst gar nicht versucht eine NTLM Authentifizierung durchzuführen, können die Benutzeraccounts in die Active Directory Gruppe „Protected Users“ aufgenommen werden. Durch diese Gruppe wird NTLM als Authentifizierungsmethode abgeschaltet. In den meisten Fällen wird es hier aber zu Problemen mit anderen Anwendungen kommen, welche NTLM benutzen. In der aktuellen Situation ist es aber ein gutes Pflaster, bis das Sicherheitsupdate installiert wurde. Den Port 445 an der Firewall zu schließen und die Benutzer in die Gruppe „Protected Users“ aufzunehmen geht schnell und hilft erst einmal gegen die Ausnutzung der Schwachstelle.
Install security update for Outlook
Microsoft has released a security update for Outlook that closes the vulnerability. The available security updates should therefore be installed as soon as possible. The download links for the updates can be found in this article:
At this point you can stop reading and update all Outlook installations. Once the updates are complete, you can continue.
CVE-2023-23397 Execute script
Microsoft has published a PowerShell script which scans the mailboxes for mails and other elements and can also delete these harmful elements. The script can be downloaded here:
Depending on the number and size of the mailboxes, however, the search for the elements can take quite a long time. In addition, if there is a hit, it must be assumed that the vulnerability has been successfully exploited. Even if port 445 was blocked at the company's perimeter firewall, the user in question may have been in the home office or on the road at the customer's premises at the time of exploitation, where there may have been no protection. Before running the script and searching for affected users, it is therefore essential to carry out the first three steps described.
Das Script lässt sich meiner Meinung nach am schnellsten direkt auf den Exchange Servern ausführen. Bei mehreren Exchange Servern und mehreren Datenbanken lässt sich das Script auch parallel auf mehreren Servern ausführen und spart somit Zeit. Um das Script auf den Exchange Servern auszuführen, können die folgenden Schritte durchgeführt werden („BENUTZER“ durch das Konto ersetzen, welches das Script ausführt):
New-ThrottlingPolicy "CVE-2023-23397-Script"
Set-ThrottlingPolicy "CVE-2023-23397-Script" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity "BENUTZER" -ThrottlingPolicy "CVE-2023-23397-Script"
New-RoleGroup -Name "CVE-2023-23397-Script" -Roles "ApplicationImpersonation" -Description "Permission to run the CVE-2023-23397"
New-ManagementRoleAssignment -name:CVE-2023-23397-Script -Role:ApplicationImpersonation -User:BENUTZER
Danach muss die EWS Schnittstelle runtergeladen werden. Es handelt sich bei dem Paket eigentlich um ein NuGet Paket mit der Dateiendung NUPKG, die Endung kann aber einfach zu ZIP umbenannt werden. Der Ordner „lib“ aus dem ZIP Archiv kann nun in den gleichen Ordner wie das Script auf dem Exchange Server kopiert werden:
The script can now be started. All mailboxes can be searched for malicious elements using the following command, for example:
Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment Onprem -EWSServerURL https://localhost/EWS/Exchange.asmx -IgnoreCertificateMismatch -DLLPath C:\Scripts\CVE-2023-23397\lib\40\Microsoft.Exchange.WebServices.dll
The command must be executed in the Exchange Management Shell and the path to Microsoft.Exchange.WebServices.dll must be adjusted accordingly.
If you have several databases and Exchange servers, you could always let the script search one database on each Exchange server, so you can run the script in parallel on several servers and save time. Here is an example:
Get-Mailbox -Database "MEINEDB1" -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment Onprem -EWSServerURL https://localhost/EWS/Exchange.asmx -IgnoreCertificateMismatch -DLLPath C:\Scripts\CVE-2023-23397\lib\40\Microsoft.Exchange.WebServices.dll
In large environments, the script may take forever to run, so it may make sense to limit the time frame, here is the example from above, which only searches the last 14 days:
Get-Mailbox -Database "MEINEDB1" -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment Onprem -EWSServerURL https://localhost/EWS/Exchange.asmx -IgnoreCertificateMismatch -StartTimeFilter ((get-date).AddDays(-14)) -EndTimeFilter (get-date) -DLLPath C:\Scripts\CVE-2023-23397\lib\40\Microsoft.Exchange.WebServices.dll
However, there are Indications that CVE-2023-23397 has been available since April 2022 is exploited, so searching within a short period of time may lull you into a false sense of security and at least the last year should be searched.
If there are hits, the script creates a CSV file with the elements found. You should take a look at this CSV file, I had a few false positives in it. The malicious elements can now be deleted with the following command:
.\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearItem -EWSServerURL https://localhost/EWS/Exchange.asmx -IgnoreCertificateMismatch -CleanupInfoFilePath "PFADZURCSV"
Reset passwords of affected users
Wenn das Script Treffer findet, sollte erst einmal davon ausgegangen werden, dass die Ausnutzung der Schwachstelle erfolgreich war. Möglicherweise befand sich der Benutzer gerade nicht im Einzugsbereich der Firewall des Unternehmens. Es ist daher ratsam das Passwort des Benutzers zu ändern und den Benutzer in die Gruppe „Protected Users“ aufzunehmen. Auch sollte dann überwacht werden, ob es verdächtige Login Versuche dieser Benutzerkonten gibt, beispielsweise via VPN oder OWA.
CVE-2023-23397 and Office 365 / Exchange Online?
As CVE-2023-23397 is a vulnerability in Outlook and not in Exchange or Exchange Online, Exchange Online admins can now also get to work. The Microsoft test script can also be executed against Exchange Online and Office 365. The steps described therefore also apply if Office 365 is used.