Jump to content

CVE-2023-23397 Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

DM R

By DM R
in General Discussion

 Share

Recommended Posts

  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

A detection will be available today, with the pre-release engine for a start. However, since exploitation of the vulnerability happens before an email is passed to AV for scanning, the only way to prevent the exploitation is by installing the appropriate Windows update or by mitigating the vulnerability:

Quote

Mitigations for CVE-2023-23397 include adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445). A dedicated PowerShell script has also been released to help admins check for users targeted using this Outlook vulnerability.

 

Link to comment
Share on other sites
DarrylRH

DarrylRH 1

Posted
Posted

Can we expect ESET Mail Security to quarantine inbound external messages once the detection signatures are made available? (thereby protecting potentially vulnerable Outlook clients)

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
2 hours ago, DarrylRH said:

Can we expect ESET Mail Security to quarantine inbound external messages once the detection signatures are made available? (thereby protecting potentially vulnerable Outlook clients)

Read again what @Marcos posted.

It makes no difference if Eset can detect the malicious e-mail and quarantine it. You could be exploited prior to Eset detecting the e-mail.

Link to comment
Share on other sites
DarrylRH

DarrylRH 1

Posted
Posted
4 hours ago, itman said:

Read again what @Marcos posted.

It makes no difference if Eset can detect the malicious e-mail and quarantine it. You could be exploited prior to Eset detecting the e-mail.

Appreciate what you're saying - my understanding is this exploit triggers the Outlook client to initiate an outbound SMB connection via the system process thereby exposing the NTLM hash.

ESET Mail Security is running in the inbound side of Exchange edge transport - before the exploit ever reaches the mailbox, and far before the Outlook client comes into play.

Link to comment
Share on other sites
  • ESET Moderators
Peter Randziak

Peter Randziak 1,130

Posted
  • ESET Moderators
Posted

Hello @DarrylRH,

the research teams are still working on improving the detections for this threat, some of them are already in place.

A script provided by Microsoft to scan Exchange messaging items is available at https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

Peter

Link to comment
Share on other sites
SLV

SLV 0

Posted
Posted

Hello

I'd support DarrylRH's idea.  Why not to create filter in ESET Mail Security for email with “PidLidReminderFileParameter” and quarantine\block such emails? Here you can find some information about this parameter: https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/ 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...