CVE-2023-23397

Name of the Vulnerable Software and Affected Versions Microsoft Outlook versions prior to February 2023 Patch Tuesday

Description This concerns a critical elevation of privilege issue in Microsoft Outlook. Exploitation of this flaw, tracked as CVE-2023-23397, allows attackers to gain unauthorized access to email accounts within Microsoft Exchange servers. The vulnerability enables a no-click, zero-interaction attack, meaning a user does not need to open a malicious email for exploitation to occur. The attack leverages specially crafted emails with calendar events or tasks referencing UNC paths controlled by the attacker. The Russian-linked threat actor, APT28 (also known as Fancy Bear, Forest Blizzard, and Strontium), has been actively exploiting this vulnerability since at least April 2022, targeting organizations in various sectors, including those in the United States, Ukraine, and Poland. The group has used this vulnerability to steal NTLM authentication messages and potentially compromise systems. The flaw allows for the theft of NTLM credentials, which can then be used in relay attacks or to gain access to other services. Reports indicate the vulnerability has been used in attacks against government, logistics, defense, aerospace, and IT companies. Approximately hundreds of small office/home office routers were used to facilitate these attacks. The vulnerability allows attackers to bypass security measures and gain unauthorized access to sensitive information.

Recommendations Update Microsoft Outlook to the latest version available to address CVE-2023-23397.