FortiGuard Labs Threat Research
Exploring a Recent Microsoft Outlook Vulnerability: CVE-2023-23397
FortiGuard Labs recently investigated an Elevation of Privilege vulnerability in Microsoft Outlook that can be exploited by sending a crafted email to a vulnerable version of the software. When the victim receives the email, an attempt to connect to an attacker’s device is triggered, resulting in the victim’s NTLMv2 hash being leaked.
The vulnerable property resides in the PidLidReminderFileParameter extended MAPI property, which specifies the filename of a sound to be played when a reminder for an object is overdue.
Figure 1: Reminder Dialog to Customize a Sound
To trigger the vulnerability, the sender simply modifies the PidLidReminderFileParameter message property to point to a malicious UNC path in a calendar or task item invite. To replicate this vulnerability, we used the Outlook AppointmentItem object to customize a malicious appointment email in the Calendar folder.
Figure 2: Snippet of POC Script Containing the Vulnerable Message Property
No interaction from the recipient is required. Upon receipt of the email, an automatic reminder pop-up appears on the recipient’s device that triggers NTLM authentication behind the scenes. A request to access the UNC path via SMB to an untrusted network is initiated.
Figure 3: Calendar Pop-Up Dialog on Receipt of the Malicious Email
Figure 4: Initiation of the NTLM Authentication
To obtain the NTLMv2 hash of the recipient during authentication, a MitM (Man in the Middle) attack can be set up to concurrently listen to and poison incoming requests. Using NTLM authentication, a bad actor can then use the exposed hashes to elevate their privileges in other systems, potentially gaining control of services unbeknownst to the email recipient.
Figure 5: Leaked Recipient’s Username and Hash
Microsoft Outlook Vulnerability Solution
Microsoft has released a script that checks for the presence of the PidLidReminderFileParameter message property in Exchange messaging items. This script provides the option to sanitize or fully remove items containing the vulnerable parameter.
Figure 6: Snippet of Patch Script Removing the Vulnerable Extended MAPI Property
Microsoft has also released an advisory for CVE-2023-23397 outlining the latest security updates. All users with a vulnerable version of Microsoft Outlook are encouraged to patch their systems immediately.
Fortinet Protections
FortiGuard AntiVirus detects the malicious files identified in this report as:
- MSOffice/Reminder.EOP!tr
- MSOffice/CVE_2023_23397.A!exploit
- MSOffice/CVE_2023_23397.B!exploit
- MSOffice/CVE_2023_23397.FBFC!exploit
FortiGuard IPS protects organizations with the following signature:
- MS.Outlook.CVE-2023-23397.Elevation.Of.Privilege
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, FortiEDR, and FortiProxy. The FortiGuard IPS service is supported by FortiGate. Customers running up-to-date versions of these products are protected.
Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of PII, etc., it is essential to keep all AV and IPS signatures current.
This threat is delivered as an email attachment. FortiMail and FortiSandbox can detect and quarantine malicious attachments for such campaigns.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
