CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook. To mitigate the risks associated with this vulnerability, security administrators can perform several steps to reduce the risk of exploitation:
- Apply the vendor patches immediately. Microsoft has released a patch as part of their March 2023 Monthly Security Update.
- Block TCP 445/SMB outbound from your network.
- Customers can disable the WebClient service.
- Add users to the Protected Users Security Group.
- Enforce SMB signing on clients and servers to prevent a relay attack.
In addition to these steps, it’s always a good practice to exercise caution when opening email attachments from unknown or untrusted sources and verify the sender’s identity before opening any attachments.
Microsoft WebClient service: The Microsoft WebClient service is a Windows service that allows applications to access resources on a web server using the Web Distributed Authoring and Versioning (WebDAV) protocol. This service is typically used by applications that need to access files stored on a web server, such as Microsoft SharePoint.
However, the Microsoft WebClient service has been known to have vulnerabilities that can be exploited by attackers to gain unauthorized access to a system. To mitigate this risk, it is important to keep the WebClient service up-to-date with the latest security patches and to restrict access to the service to only those users who need it for their work.
Protected Users Security Group: The Protected Users Security Group is a security group that was introduced in Windows 8.1 and Windows Server 2012 R2. This group is designed to provide an additional layer of protection against pass-the-hash attacks, where an attacker steals a password hash from a compromised system and uses it to gain access to other systems in the network.
Users who are members of the Protected Users Security Group have several security features enabled by default, including:
- Credential isolation: Credentials for Protected Users are isolated from other users on the system, making them harder to steal.
- Restricted admin mode: Protected Users are not allowed to perform administrative tasks that require elevated privileges.
- No NTLM authentication: Protected Users are not allowed to use NTLM authentication, which is commonly targeted by attackers in pass-the-hash attacks.
- SMB signing on clients and servers: Server Message Block (SMB) is a protocol used by Windows for sharing files, printers, and other resources on a network. SMB signing is a feature that allows clients and servers to authenticate the identity of each other and verify that data has not been tampered with during transit.
- Enabling SMB signing on clients and servers is an important security measure that can help prevent man-in-the-middle (MITM) attacks and other types of network-based attacks. When SMB signing is enabled, all data sent over the network is signed using a cryptographic hash, which prevents attackers from modifying or intercepting the data.
TCP 445/SMB outbound is a network communication protocol that allows devices on a network to share files, printers, and other resources with each other. The protocol operates over Transmission Control Protocol (TCP) port 445, and is commonly referred to as SMB (Server Message Block).
SMB is an important protocol in modern Windows environments, as it is used for a wide range of network communication tasks, including:
- File and printer sharing: SMB allows users to share files and printers with other devices on the network, allowing for collaboration and efficient resource utilization.
- Remote administration: System administrators can use SMB to remotely manage devices on the network, including running commands, installing software, and configuring settings.
- Authentication and authorization: SMB provides a framework for user authentication and access control, ensuring that only authorized users have access to network resources.
However, TCP 445/SMB outbound traffic can also be a potential security risk. Attackers can use SMB vulnerabilities to gain unauthorized access to network resources, steal sensitive data, or launch other types of attacks. For example, the WannaCry ransomware attack in 2017 exploited an SMB vulnerability to spread rapidly across networks and infect thousands of devices.
To mitigate the risk of SMB-based attacks, it is important to implement proper security measures, such as:
- Keep SMB up-to-date with the latest security patches: Regularly apply updates to operating systems and other software to address known vulnerabilities.
- Use firewalls to restrict SMB traffic: Configure firewalls to restrict inbound and outbound traffic on TCP 445/SMB to only those devices and networks that require it.
- Implement strong access controls: Use strong passwords, multifactor authentication, and other access controls to ensure that only authorized users have access to network resources.
- Monitor network traffic: Use network monitoring tools to detect and respond to suspicious SMB traffic, such as large amounts of data being transferred or unusual network connections.
Here are some suggestions on how to mitigate pass-the-hash attacks and credential theft:
- Use strong passwords: Use strong, complex passwords that are difficult to guess or crack. Passwords should be at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols.
- Implement multifactor authentication: Use multifactor authentication (MFA) to provide an additional layer of security beyond passwords. MFA requires users to provide additional proof of identity, such as a fingerprint or a code sent to their phone, before gaining access to a system.
- Restrict administrative privileges: Limit the number of users who have administrative privileges on systems and applications. This reduces the risk of an attacker gaining access to administrative credentials and being able to carry out attacks.
- Use strong encryption: Use strong encryption to protect sensitive data, such as passwords and authentication tokens, while in transit and at rest. This helps to prevent attackers from intercepting or stealing credentials.
- Keep systems up-to-date: Regularly apply software patches and updates to address known vulnerabilities in systems and applications. This reduces the risk of attackers exploiting known vulnerabilities to steal credentials.
- Monitor network activity: Use network monitoring tools to detect and respond to suspicious activity, such as unusual logins or attempts to access restricted systems.
- Implement privileged access management (PAM): PAM solutions provide an extra layer of protection to prevent pass-the-hash attacks by managing and securing privileged credentials, controlling access to sensitive systems, and monitoring activity on privileged accounts.
- Use Protected Users Security Group: As mentioned earlier, the Protected Users Security Group is a security group in Windows designed to provide an additional layer of protection against pass-the-hash attacks. Enabling the group and adding users who have high-value credentials to it can help prevent pass-the-hash attacks.
Mitigating pass-the-hash attacks and credential theft requires a multi-layered approach that includes strong passwords, MFA, access control, encryption, software updates, network monitoring, and privileged access management. By implementing these best practices, organizations can reduce the risk of credential theft and pass-the-hash attacks and protect their sensitive data and systems.
For more information about pass-the-hash attached, credential theft and this vulnerability in particular you could refer to the following:
https://www.microsoft.com/en-us/download/details.aspx?id=36036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
tech RIVR 