Description: CVE-2023-23397 is a critical Microsoft Outlook vulnerability that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and processed by the Outlook client for Windows. As a result, this could lead to exploitation without requiring any user interaction and before even the message is viewed in the Preview Pane.
Remediation: Microsoft has released a patch on March 14, 2023 that remediates this vulnerability. This update is available from Microsoft Update. When automatic updating is enabled, this update will be downloaded and installed automatically.
Ascend is actively pushing and installing the update for this vulnerability to patching clients. Non patching clients are encouraged to apply this patch as soon as possible. The impact of this patch might cause users to experience a need to restart the outlook app.
In the event that patches cannot be applied to remediate this vulnerability, the following mitigating factors may be helpful:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.