Since the message is an appointment, Outlook processes it without any interaction from the user, who could remain completely unaware of what is happening. The expired appointment sent by the attacker populates specific built-in properties that point to a UNC path, which provokes Windows to send the user’s login name and NTLM password hash to a location controlled by the attacker. This vulnerability is particularly dangerous because it allows a remote and unauthenticated attacker to retrieve the victim's credentials just by sending a specially formatted appointment to the user, which does not even need to be opened by the target's application since it triggers automatically when it is retrieved and processed by the Outlook client. Description No-User-Interaction & Zero Click Vulnerability However, the CVSS attack complexity is rated “Low” and as such Holm Security is urging users to implement a patch as soon as possible. This flaw affects on-prem versions of Microsoft Outlook for Windows (Microsoft 365 Apps for Enterprise, Office 2013, 2016, and 2019, including LTSC) but not Outlook for Mac, iOS, or Android, and Outlook on the web because these services do not support NTLM authentication and therefore are not vulnerable to being attacked. The exploit was used in attacks against a limited number of organizations in Europe's government, transportation, energy, and military sectors. In it, Microsoft assessed that the vulnerability had been subject to targeted but limited attacks by Russian-based threat actors. Microsoft later published a blog post focusing on its handling of this vulnerability. Microsoft released a patch for this vulnerability and security updates covering nearly all their other services, from Azure to Microsoft 365 apps (for enterprise) to Outlook 2013 SP1. In Microsoft's Patch Tuesday, the news broke of an Outlook Elevation of Privilege Vulnerability ( CVE-2023-23397).
Proof-of-concept exploits have already been developed, and given the ubiquity of Outlook, now that the vulnerability is known, we believe it is only a matter of time before it is incorporated by the strategies of threat actors worldwide.” General “This flaw is simple to exploit and importantly requires no user interaction, making this a zero-click vulnerability. Khuram Hussain, a certified ethical hacker at Holm Security, said: Outlook Vulnerability Allows Zero-Click Attackers to Compromise User AuthenticationĪn attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.
0 kommentar(er)
