Microsoft Issues Patch for Severe Vulnerability CVE-2023-23397 Targeting Government, Energy, and Transport Sectors

In early September 2021, Microsoft released a security update that addressed a critical vulnerability in its Outlook email client. The vulnerability, marked as CVE-2021-38647, impacted all versions of Microsoft Outlook and allowed threat actors to steal sensitive information from the organization’s email servers. This vulnerability was so serious that security analysts called for immediate action to be taken by Microsoft and its users. It is essential for everyone to understand the impact of this vulnerability and to take necessary action to prevent potential attacks.

Background information on the Outlook vulnerability

The vulnerability discovered by security researchers from Cisco Talos was rated with a CVSS score of 8.8 out of 10, marking it as a critical vulnerability. Microsoft later determined that the activities resulted from Russian-based actors and that they were being used in targeted attacks against a limited number of organizations. The vulnerability, marked as CVE-2021-38647, was an extension of the original vulnerability discovered in 2020, a different vulnerability known as “CVE-2023-23397,” which affects all Microsoft Outlook products that run on the Windows operating system.

Details of the vulnerability affecting all Microsoft Outlook products

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It is a cushion bypass vulnerability in NTLM that could be exploited for the purpose of credential theft to gain affluent access to an organization through an escalation of privilege vulnerability. An attacker can gain access to an Outlook server through an email, calendar invites, or tasks that utilize the extended MAPI property ‘PidLidReminderFileParameter.’ The property in question was intended for reminder purposes, but if exploited, would allow the attacker to execute arbitrary code on a vulnerable system.

During this period, threat actors targeted and breached the networks of approximately 15 critical organizations related to the government, energy, and transportation sectors. These organizations probably had a high concentration of sensitive information stored in their email systems, making them easy targets for the threat actors.

Threat actors can exploit the vulnerability by creating emails, calendar invites, or tasks that contain the extended MAPI property ‘PidLidReminderFileParameter.’ If an unsuspecting user opens the email, the code within the attachment may execute, leading to credential theft and privilege escalation, as the attacker gains access to the targeted email system.

This vulnerability could result in both credential theft and escalation of privilege vulnerability. If exploited, an attacker could gain high-level access to the targeted organization’s email systems. Potential attackers could then access sensitive data, which could be catastrophic for the organization. They could use the data for ransom purposes, or leverage it for competitive advantage.

The extended MAPI property ‘PidLidReminderFileParameter’ can be used by threat actors to create emails, calendar invites, or tasks that contain an attached file. This file contains a file path that Outlook replicates seamlessly, like an internal network file share or an SMB server Microsoft Windows server. This creates an opportunity for attackers to access passwords and other credential data that have been inadvertently duplicated and saved to the organization’s email systems.

An attacker may be able to exploit a vulnerable system’s Net-NTLMv2 hash by performing an NTLM relay attack on another system. This means that the attacker could gain access to other devices on the organization’s network.

The importance of installing the patch provided by Microsoft

Regarding CVE-2021-38647, Microsoft has already released a security update that fixes the vulnerability. Installing the patch as soon as possible would be an ideal move to address the vulnerability. It is also worth noting that if the fix has already been applied, it can be checked for effectiveness using available evaluation tools. While fixing the vulnerability would solve the immediate concern, more needs to be done to ensure that the organization does not fall prey to similar attacks in the future.

The significance of blocking outbound port TCP/445 from the network to prevent NTLM messages from leaving is that it is not enough to simply install the patch and assume that the vulnerability and similar ones have been addressed permanently. Blocking port TCP/445 outbound from the network is crucial in preventing the NTLM messages from leaving the network. Hackers cannot perpetrate an attack if messages are not leaving the organization’s network. Blocking this TCP port can thwart other potential attacks in which the organization’s internal networks are leveraged to carry out other malicious activities.

In conclusion, it is strongly advised by security analysts that admins apply and check all recommended mitigations immediately to prevent any attacks effectively. These include installing the relevant patch provided by Microsoft, blocking port TCP/445 outbound from the network to prevent NTLM messages from leaving, and educating users on best practices to avoid email-based attacks in the first place. Failure to take necessary action could have disastrous implications for the organization, and waiting for an attack to occur before taking the required measures is not worth it. Being proactive on this front is the only way to prevent potential harm to the organization.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.