A severe credential exposure vulnerability has been discovered affecting all versions of Outlook for Windows. The monthly patch bundle released by Microsoft on Tuesday, March 14th includes a patch for this issue, and updates are strongly advised as exploits for this vulnerability have already been reported. Outlook for the Mac is NOT affected, nor are the Outlook versions for Android, iOS, or Outlook accessed via a web browser (Outlook on the Web).
On March 16th, IMSS performed system maintenance to address this critical vulnerability on all Managed Computers.
Details
The vulnerability specifically affects Outlook for Windows when used to access mail from a server that authenticates with NTLM hashes. In particular, on-premises Exchange servers typically use this form of authentication, while Microsoft's Office365 or M365 cloud email service does not. The vulnerability lies in Outlook's handling of email messages containing UNC links to SMB servers. Upon receiving such a message, Outlook will automatically attempt to log into the SMB server using NTLM, without user intervention of any kind. If the SMB server is controlled by an attacker, the victim Outlook user's credentials can be captured as a reusable (and crackable) NTLM hash that can allow the attacker to gain access to the victim's email or other resources that authenticate via NTLM, such as Windows file shares.
Mitigation
Patching is strongly advised. If your Windows computer is set to receive updates for Microsoft Office products using Windows Update, the patch can be obtained most easily by simply running Windows Update. Check your settings:
https://support.microsoft.com/en-us/office/update-office-with-microsoft-update-f59d3f9d-bd5d-4d3b-a08e-1dd659cf5282
The patch is also available separately here:
https://support.microsoft.com/en-us/office/install-office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5
Additional information about updating Microsoft Office products is here:
https://support.microsoft.com/en-us/office/install-office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5
Other mitigations include blocking outbound access to port 445, which is used for accessing SMB servers. Port 445 is already blocked at the campus borders.
Since the Microsoft Office365 mail service does not use NTLM hashes for authentication, this vulnerability primarily affects campus users who may be using Outlook to access mail from other servers running Exchange either instead of, or in addition to, the central campus mail service.
References
Microsoft writeups:
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Helpnet Security writeup:
https://www.helpnetsecurity.com/2023/03/14/cve-2023-23397-cve-2023-24880/
Writeup from MDSec including description of exploit:
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Additional information about reuse of NTLM hashes, aka "NTLM relay attacks":
https://www.qomplx.com/blog/qomplx-knowledge-ntlm-relay-attacks-explained/
If you have any questions, please contact the Help Desk at 626.395.3500, help@caltech.edu, or https://help.caltech.edu.