DM R 0 Posted March 16 Share Posted March 16 (edited) ESET mitigation aside from ntlm? implications in ntlm deny and only setting trusted zones? https://techcenter.eset.nl/en-US/news/posts/cve-2023-23397-microsoft-mitigates-outlook-elevation-of-privilege-vulnerability Edited March 16 by DM R add link Quote Link to comment Share on other sites More sharing options...
DM R 0 Posted March 16 Author Share Posted March 16 @Marcos can you advise? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,602 Posted March 17 Administrators Share Posted March 17 A detection will be available today, with the pre-release engine for a start. However, since exploitation of the vulnerability happens before an email is passed to AV for scanning, the only way to prevent the exploitation is by installing the appropriate Windows update or by mitigating the vulnerability: Quote Mitigations for CVE-2023-23397 include adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445). A dedicated PowerShell script has also been released to help admins check for users targeted using this Outlook vulnerability. Quote Link to comment Share on other sites More sharing options...
DarrylRH 1 Posted March 17 Share Posted March 17 Can we expect ESET Mail Security to quarantine inbound external messages once the detection signatures are made available? (thereby protecting potentially vulnerable Outlook clients) Quote Link to comment Share on other sites More sharing options...
itman 1,508 Posted March 17 Share Posted March 17 2 hours ago, DarrylRH said: Can we expect ESET Mail Security to quarantine inbound external messages once the detection signatures are made available? (thereby protecting potentially vulnerable Outlook clients) Read again what @Marcos posted. It makes no difference if Eset can detect the malicious e-mail and quarantine it. You could be exploited prior to Eset detecting the e-mail. Quote Link to comment Share on other sites More sharing options...
DarrylRH 1 Posted March 18 Share Posted March 18 4 hours ago, itman said: Read again what @Marcos posted. It makes no difference if Eset can detect the malicious e-mail and quarantine it. You could be exploited prior to Eset detecting the e-mail. Appreciate what you're saying - my understanding is this exploit triggers the Outlook client to initiate an outbound SMB connection via the system process thereby exposing the NTLM hash. ESET Mail Security is running in the inbound side of Exchange edge transport - before the exploit ever reaches the mailbox, and far before the Outlook client comes into play. SLV 1 Quote Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 924 Posted March 20 ESET Moderators Share Posted March 20 Hello @DarrylRH, the research teams are still working on improving the detections for this threat, some of them are already in place. A script provided by Microsoft to scan Exchange messaging items is available at https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/ Peter Quote Link to comment Share on other sites More sharing options...
SLV 0 Posted March 20 Share Posted March 20 Hello I'd support DarrylRH's idea. Why not to create filter in ESET Mail Security for email with “PidLidReminderFileParameter” and quarantine\block such emails? Here you can find some information about this parameter: https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.