Cato Protects Against CVE-2023-23397 Exploits 

Listen to post:
Getting your Trinity Audio player ready...

A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by the exploit. Once a user receives a malicious calendar invite, the attacker can gain a user’s Active Directory credentials.  

Microsoft has released a security update that can be found here. Cato Research strongly encourages updating all relevant systems as proof-of-concept exploits have already appeared online. Until all systems have been updated, Cato customers can rest easy. By default, any Cato-connected endpoint – remote user, site, or any other type of user – is protected from the attacks exploiting the CVE.  

What is CVE-2023-23397 and How Does it Work? 

CVE-2023-23397 is a critical vulnerability in the Outlook client. An attacker can craft a .MSG file as a e form of a calendar invite that triggers an authentication attempt over the SMB protocol to an attacker-controlled endpoint without any user interaction. (.MSG is the file format used to represent Outlook elements, such email messages, appointments, contacts, and tasks.)  

In case the SMB authentication attempt is done using NTLM, the Outlook client will send the attacker a Net-NTLM hash along with the username and domain name. This enables an attacker to perform an offline dictionary-based attack on the hash. The result: revealing the user’s password and username that can then be used to authenticate and attack exposed services that rely on active directory credentials.  

Cato Networks SASE Threat Research Report H2/2022 | Download the Report

What is Cato’s Mitigation?  

Right upon the exploitation disclosure, Cato’s Security Research team began investigating the CVE. Cato IPS does not inspect the Outlook .MSG elements as that would be out of scope for an IPS system. But the CVE does require an outbound SMB session to exfiltrate data and, by default, Cato’s firewall implements a deny rule, blocking outbound SMB traffic. Only SMB sessions terminating at known, trusted servers should be allowed.  

Our team continues to review a dedicated IPS signature to be enforced globally for this threat. It will ensure that potential information leakage, such as the one presented by this CVE, is prevented regardless of their firewall configuration. With hybrid Active Directory setups that extend AD identities to the cloud and may utilize SMB, careful review of the data is required to avoid causing false positives introduced by legitimate usage. Further notice will be provided to Cato customers in forthcoming Release Notes. 

Related Topics