We would like to inform you of a recent CVE (Common Vulnerabilities and Exposures) announcement that may affect your use of Microsoft Outlook. The CVE in question is CVE-2023-23397, The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication
What does this mean for me?
If your organization is currently under a contract for Managed IT Services with LNX, we would like to assure you that our team is already working on deploying a fix to address any potential vulnerabilities. Therefore, no further action is required from your end. However, if your organization is not currently under contract with us, we strongly advise following the steps outlined below to mitigate any potential risks and ensure the safety and security of your systems
- Blocking TCP 445/SMB outbound from your network to stop the NTLM traffic.
- Patch Outlook with the security updates available from Microsoft. If a security update isn’t available for a version of Outlook running in your organization, update Outlook to a supported version. This action is your number 1 priority. If vulnerable Outlook clients remain active, your organization is open to exploitation.
- Microsoft recommends adding on-premises accounts to the Protected Users Security Group. Windows 2012 R2 and newer domain controllers support this group, which prevents the use of NTLM as an authentication method by group members. Microsoft warns that adding everybody to the group might impact applications that require NTLM, so this is a tactic best used for selected high-profile accounts. Be sure that you read the documentation for the Protected Users Security Group before you use this tactic.
- Run the PowerShell script developed by Microsoft to find and remove suspicious items. This action isn’t a mitigation for the vulnerability. It merely finds items that might contain a payload. The script is not fast. There’s no good way to filter on the PidLidReminderFileParameter property, so the script uses Exchange Web Services (EWS) to examine the properties of individual mailbox items. Depending on mailbox sizes and the number of items in the mailboxes, this script will take hours rather than minutes to run. It’s not a snappy process. Several problems have been reported with running the script, so check this page to see the known issues.
If you need further assistance, please do not hesitate to contact us.