Microsoft recently patched a zero-click privilege escalation vulnerability within Microsoft Outlook, tracked as CVE-2023-2339 and rated a 9.8/10 on the Common Vulnerability Scoring System (CVSS). Left unchecked, this vulnerability could allow a threat actor to capture sensitive information from any user account that receives the malicious email and impersonate that user.
Announced earlier this week, a threat actor can leverage a feature of Microsoft Outlook that allows a custom sound file to be loaded as a notification for a message. However, this file does not have to be local to the machine and can be on a remote file share accesible via a Universal Naming Convention path. This would force the victim to authenticate with the attacker automatically without interaction. The attacker can then use the sensitive information gathered through the authentication process in a few ways, including replaying the information elsewhere to authenticate with other services.
Couple the feature of Outlook with how New Technology LAN Manager (NTLM) authentication works, the exploit will automatically fire when a user is sent a calendar invite in the Outlook desktop app with the custom sound property populated with a UNC path to a remote SMB file share. A challenge and response process then begins, which allows the attacker to steal NTLM hashes from the victim’s computer, which thinks it is authenticating with a legitimate server somewhere. These NTLM hashes can then be stored for cracking or replayed to authenticate with another service without the victim knowing.
The mitigation for this is installing the necessary Microsoft Outlook security update or restricting NTLM’s use for authentication. Further, organizations could also block outbound SMB traffic over port 445, similarly stopping the attack from working. Microsoft has also released an audit tool on GitHub to see if your organization has been affected, which is entirely possible.
TrustedSec reports that Russian military intelligence has exploited this vulnerability for about a year, so patch now to stay secure.
https://hothardware.com/news/critical-outlook-privilege-escalation-vulnerability-found-patch-now