Warning of a critical vulnerability in Microsoft Outlook

The National Cyber Security Centre SK-CERT warns of a critical vulnerability in Microsoft Outlook that could be exploited by remote unauthenticated attackers to elevate privileges and gain access to a victim’s network.

Microsoft Outlook is a popular and frequently used email management application. It is widespread globally, also in the Slovak cyberspace.

The application vulnerability, which is tracked as CVE-2023-23397, can be exploited by sending a specially modified email message, which an attacker can use to obtain an authentication NTLM token and exploit it to gain access to the victim’s network. No user interaction is required to exploit this vulnerability. Microsoft said that the vulnerability is currently being actively exploited.

The vulnerability has been assigned a CVSS score of 9.8 and is therefore rated as critical.

The vulnerability has affected all supported versions of Microsoft Outlook for Windows (released before 14 March 2023). Other apps (e.g. for Android, iOS or Mac) as well as the Outlook web app and other services within M365 have not been affected.

To verify whether your organization has been or is the target of attackers exploiting this vulnerability, you can use the script and complete documentation available on Microsoft’s official website: https://aka.ms/CVE-2023-23397ScriptDoc.

Regarding the mentioned vulnerability, the National Cyber Security Centre SK-CERT recommends the following to all users who use Microsoft Outlook for Windows in a vulnerable version:

  • immediately update the app to the latest version, as Microsoft has issued a patch for the vulnerability,
  • if a security patch for this vulnerability cannot be installed immediately, follow Microsoft’s official recommendation for mitigating the vulnerability:
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. However, it is necessary to point out that this procedure may affect authentication to other applications and services requiring NTLM.
  • Block outgoing communication on the TCP/445 port.
  • check the network logs for at least the last week, focusing on outgoing communication on the TCP/445 port,
  • in the event of a cybersecurity incident detection, report the incident to the National Cyber Security Centre SK-CERT at [email protected].

Sources

 


« Späť na zoznam