Microsoft Issues Patch for Severe Vulnerability CVE-2023-23397 Targeting Government, Energy, and Transport Sectors

In early September 2021, Microsoft released a security update that addressed a critical vulnerability in its Outlook email client. The vulnerability, marked as CVE-2021-38647, impacted all versions of Microsoft Outlook and allowed threat actors to steal sensitive information from the organization’s email servers. This vulnerability was so serious that security analysts called for immediate action to be taken by Microsoft and its users. It is essential for everyone to understand the impact of this vulnerability and to take necessary action to prevent potential attacks.

Background information on the Outlook vulnerability

The vulnerability discovered by security researchers from Cisco Talos was rated with a CVSS score of 8.8 out of 10, marking it as a critical vulnerability. Microsoft later determined that the activities resulted from Russian-based actors and that they were being used in targeted attacks against a limited number of organizations. The vulnerability, marked as CVE-2021-38647, was an extension of the original vulnerability discovered in 2020, a different vulnerability known as “CVE-2023-23397,” which affects all Microsoft Outlook products that run on the Windows operating system.

Details of the vulnerability affecting all Microsoft Outlook products

The vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. It is a cushion bypass vulnerability in NTLM that could be exploited for the purpose of credential theft to gain affluent access to an organization through an escalation of privilege vulnerability. An attacker can gain access to an Outlook server through an email, calendar invites, or tasks that utilize the extended MAPI property ‘PidLidReminderFileParameter.’ The property in question was intended for reminder purposes, but if exploited, would allow the attacker to execute arbitrary code on a vulnerable system.

During this period, threat actors targeted and breached the networks of approximately 15 critical organizations related to the government, energy, and transportation sectors. These organizations probably had a high concentration of sensitive information stored in their email systems, making them easy targets for the threat actors.

Threat actors can exploit the vulnerability by creating emails, calendar invites, or tasks that contain the extended MAPI property ‘PidLidReminderFileParameter.’ If an unsuspecting user opens the email, the code within the attachment may execute, leading to credential theft and privilege escalation, as the attacker gains access to the targeted email system.

This vulnerability could result in both credential theft and escalation of privilege vulnerability. If exploited, an attacker could gain high-level access to the targeted organization’s email systems. Potential attackers could then access sensitive data, which could be catastrophic for the organization. They could use the data for ransom purposes, or leverage it for competitive advantage.

The extended MAPI property ‘PidLidReminderFileParameter’ can be used by threat actors to create emails, calendar invites, or tasks that contain an attached file. This file contains a file path that Outlook replicates seamlessly, like an internal network file share or an SMB server Microsoft Windows server. This creates an opportunity for attackers to access passwords and other credential data that have been inadvertently duplicated and saved to the organization’s email systems.

An attacker may be able to exploit a vulnerable system’s Net-NTLMv2 hash by performing an NTLM relay attack on another system. This means that the attacker could gain access to other devices on the organization’s network.

The importance of installing the patch provided by Microsoft

Regarding CVE-2021-38647, Microsoft has already released a security update that fixes the vulnerability. Installing the patch as soon as possible would be an ideal move to address the vulnerability. It is also worth noting that if the fix has already been applied, it can be checked for effectiveness using available evaluation tools. While fixing the vulnerability would solve the immediate concern, more needs to be done to ensure that the organization does not fall prey to similar attacks in the future.

The significance of blocking outbound port TCP/445 from the network to prevent NTLM messages from leaving is that it is not enough to simply install the patch and assume that the vulnerability and similar ones have been addressed permanently. Blocking port TCP/445 outbound from the network is crucial in preventing the NTLM messages from leaving the network. Hackers cannot perpetrate an attack if messages are not leaving the organization’s network. Blocking this TCP port can thwart other potential attacks in which the organization’s internal networks are leveraged to carry out other malicious activities.

In conclusion, it is strongly advised by security analysts that admins apply and check all recommended mitigations immediately to prevent any attacks effectively. These include installing the relevant patch provided by Microsoft, blocking port TCP/445 outbound from the network to prevent NTLM messages from leaving, and educating users on best practices to avoid email-based attacks in the first place. Failure to take necessary action could have disastrous implications for the organization, and waiting for an attack to occur before taking the required measures is not worth it. Being proactive on this front is the only way to prevent potential harm to the organization.

Explore more

Companies Can Prevent Bad AI Hires by Measuring True Fluency

Organizations across the global marketplace are currently grappling with an unprecedented urgency to demonstrate sophisticated artificial intelligence capabilities to their demanding boards and expectant investors. This intense pressure has transformed AI fluency from a specialized technical niche into a mandatory prerequisite for nearly ninety-five percent of organizations operating today. However, the rush to secure talent has led to a paradoxical

Can RPA Balance Healthcare Efficiency With Patient Care?

The modern medical landscape is currently defined by a paradoxical struggle where advanced clinical innovations are often overshadowed by the sheer volume of clerical work required to sustain them. Doctors today spend a staggering amount of their shifts staring at glowing screens rather than engaging with the human beings sitting in the examination rooms. When a physician spends more time

How Is BlackRock Dominating the Tokenized Asset Market?

BlackRock’s strategic deployment of the USD Institutional Digital Liquidity Fund has fundamentally reshaped the landscape of global finance by successfully bridging the gap between traditional banking and decentralized ledgers. This initiative, widely recognized as BUIDL, represents a pivot from the speculative nature of early cryptocurrency markets toward the practical utility of high-grade financial instruments. By 2026, the institutional narrative has

How Can Lagos State Combat Workplace Harassment?

The rapidly evolving commercial landscape of Lagos State, often characterized by its relentless pace and high-stakes corporate environment, currently faces a critical reckoning as reports of workplace harassment continue to surface across various sectors. This phenomenon is not merely a social grievance but a significant barrier to economic productivity and employee retention in Africa’s largest subnational economy. As the city

Microsoft Refines Windows 11 Design With K2 Initiative

The traditional desktop environment is undergoing a fundamental transformation as Microsoft addresses long-standing visual inconsistencies through its ambitious internal project known as the K2 Initiative. This effort represents a significant shift from the piecemeal updates seen in previous years toward a holistic overhaul of the operating system’s aesthetic and functional layers. By prioritizing a more cohesive user experience, developers worked