The vulnerability allows a remote attacker to compromise the affected system and exists because the application leaks the Net-NTLMv2 hash. A remote attacker can send a specially crafted email to the victim and obtain the Net-NTLMv2 hash of the Windows account. The victim does not need to open the email, as the vulnerability is automatically triggered when the email server retrieves and processes it, for example, before the email is viewed in the preview pane.
The NTLMv2 hash obtained can be used in the NTLM relay attack against another service to authenticate itself as a user.
Note that the vulnerability is being actively exploited.
Vulnerable versions:
- Microsoft Outlook: 2013 - 2021
- Microsoft Office: 365 - 2021
CVE:
CVE-2023-23397
Mitigation:
Add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes it easier to troubleshoot other methods of disabling NTLM. When possible, consider using it for high-value accounts, such as domain administrators.
This may affect applications that require NTLM, however, the setting will revert once the user leaves the Protected Users group.
Block outbound TCP 445/SMB from your network using a perimeter firewall, local firewall and VPN configuration. This will prevent NTLM authentication messages from being sent to remote file shares.
If you have a service contract with Anida with which you can manage this vulnerability, do not hesitate to contact your Service Manager.
Microsoft Outlook
Microsoft Outlook
The rapid development of intelligent automation is ushering in a new era of business productivity and innovation.
Growing interest in Artificial Intelligence and application modernization is driving up spending on cloud services
