A patch released last week to remediate a critical zero-day vulnerability in Microsoft Outlook does not fully protect computer networks from attack, researchers said Monday
Dominic Chell, director at MDSec, and Will Dormann, senior principal vulnerability analyst at Analygence, said the patch issued to fix CVE-2023-23397 can still be bypassed if an attacker has gained access to a system.
Microsoft and later Mandiant researchers warned that state-linked threat actors had abused the vulnerability to launch attacks against critical infrastructure in several European countries, after prior warnings from Ukraine officials.
Mandiant researchers warned of possible escalation of attacks involving other state-linked actors and financially motivated criminal hackers.
Chell found the weakness in the mitigation steps and planned to contact Microsoft about the findings, Dormann told Cybersecurity Dive.
The update from Microsoft prevents sender specified reminder sounds on hosts that Windows considers to be on the local area network, Dormann said.
The vulnerability could still be exploited if the attacker was an insider or had access through a compromised host, according to Dormann.
Attackers are exploiting the vulnerability to send malicious emails that do not have to be opened by the user, according to Huntress. The attackers then capture Net-NTLMv2 hashes, which allow the attacker to authenticate in a Windows environment and escalate privileges.
“The adversary needs at least a foothold with initial access,” said John Hammond, senior security researcher at Huntress. “This makes the exploit not as easily point-and-shoot as it was without the patch, but still a worthy attack vector for red teamers, penetration testers, or of course malicious actors who have already gained access to the environment.”
The security update Microsoft released for CVE-2023-23397 “protects customers against the leak of NTLM hashes outside of their network,” a Microsoft spokesperson said via email.
The spokesperson confirmed the technique described by the researchers would require an attacker to have already gained access to an internal network.
Customers should therefore apply the patch to remain secure, according to the spokesperson.
Microsoft urged customers to again review the instructions to apply security updates. The company also suggested review of instructions to mitigate Pass-the-Hash attacks.