Microsoft Issues Patch for Severe Vulnerability CVE-2023-23397 Targeting Government, Energy, and Transport Sectors

In early September 2021, Microsoft released a security update that addressed a critical vulnerability in its Outlook email client. The vulnerability, marked as CVE-2021-38647, impacted all versions of Microsoft Outlook and allowed threat actors to steal sensitive information from the organization’s email servers. This vulnerability was so serious that security analysts called for immediate action to be taken by Microsoft and its users. It is essential for everyone to understand the impact of this vulnerability and to take necessary action to prevent potential attacks.

Background information on the Outlook vulnerability

The vulnerability discovered by security researchers from Cisco Talos was rated with a CVSS score of 8.8 out of 10, marking it as a critical vulnerability. Microsoft later determined that the activities resulted from Russian-based actors and that they were being used in targeted attacks against a limited number of organizations. The vulnerability, marked as CVE-2021-38647, was an extension of the original vulnerability discovered in 2020, a different vulnerability known as “CVE-2023-23397,” which affects all Microsoft Outlook products that run on the Windows operating system.

Details of the vulnerability affecting all Microsoft Outlook products

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It is a cushion bypass vulnerability in NTLM that could be exploited for the purpose of credential theft to gain affluent access to an organization through an escalation of privilege vulnerability. An attacker can gain access to an Outlook server through an email, calendar invites, or tasks that utilize the extended MAPI property ‘PidLidReminderFileParameter.’ The property in question was intended for reminder purposes, but if exploited, would allow the attacker to execute arbitrary code on a vulnerable system.

During this period, threat actors targeted and breached the networks of approximately 15 critical organizations related to the government, energy, and transportation sectors. These organizations probably had a high concentration of sensitive information stored in their email systems, making them easy targets for the threat actors.

Threat actors can exploit the vulnerability by creating emails, calendar invites, or tasks that contain the extended MAPI property ‘PidLidReminderFileParameter.’ If an unsuspecting user opens the email, the code within the attachment may execute, leading to credential theft and privilege escalation, as the attacker gains access to the targeted email system.

This vulnerability could result in both credential theft and escalation of privilege vulnerability. If exploited, an attacker could gain high-level access to the targeted organization’s email systems. Potential attackers could then access sensitive data, which could be catastrophic for the organization. They could use the data for ransom purposes, or leverage it for competitive advantage.

The extended MAPI property ‘PidLidReminderFileParameter’ can be used by threat actors to create emails, calendar invites, or tasks that contain an attached file. This file contains a file path that Outlook replicates seamlessly, like an internal network file share or an SMB server Microsoft Windows server. This creates an opportunity for attackers to access passwords and other credential data that have been inadvertently duplicated and saved to the organization’s email systems.

An attacker may be able to exploit a vulnerable system’s Net-NTLMv2 hash by performing an NTLM relay attack on another system. This means that the attacker could gain access to other devices on the organization’s network.

The importance of installing the patch provided by Microsoft

Regarding CVE-2021-38647, Microsoft has already released a security update that fixes the vulnerability. Installing the patch as soon as possible would be an ideal move to address the vulnerability. It is also worth noting that if the fix has already been applied, it can be checked for effectiveness using available evaluation tools. While fixing the vulnerability would solve the immediate concern, more needs to be done to ensure that the organization does not fall prey to similar attacks in the future.

The significance of blocking outbound port TCP/445 from the network to prevent NTLM messages from leaving is that it is not enough to simply install the patch and assume that the vulnerability and similar ones have been addressed permanently. Blocking port TCP/445 outbound from the network is crucial in preventing the NTLM messages from leaving the network. Hackers cannot perpetrate an attack if messages are not leaving the organization’s network. Blocking this TCP port can thwart other potential attacks in which the organization’s internal networks are leveraged to carry out other malicious activities.

In conclusion, it is strongly advised by security analysts that admins apply and check all recommended mitigations immediately to prevent any attacks effectively. These include installing the relevant patch provided by Microsoft, blocking port TCP/445 outbound from the network to prevent NTLM messages from leaving, and educating users on best practices to avoid email-based attacks in the first place. Failure to take necessary action could have disastrous implications for the organization, and waiting for an attack to occur before taking the required measures is not worth it. Being proactive on this front is the only way to prevent potential harm to the organization.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable