SonicWall provides protection against exploits targeting recently announced critical CVE-2023-23397 vulnerability


What is CVE-2023-23397

CVE-2023-23397 is a Microsoft Outlook Elevation of Privilege Vulnerability. This allows for a NTLM Relay attack against another service to authenticate as the user. SonicWall provides protection against exploits targeting this vulnerability.
Outlook Client on Windows OS (if still unpatched) is vulnerable. For the attack to be successful Outlook needs to be running but the user is is not required to preview email.

How is this exploited:

Attacker can send a specially crafted message file over SMTP and the vulnerability is triggered when victim’s Outlook client accesses this message.

SonicWall Capture Labs provides protection against this threat via :

  • ASPY 429: Malformed-msg msg.MP_1(CVE-2023-23397)
  • ASPY 430: Malformed-msg msg.MP_2 (CVE-2023-23397)
  • Capture ATP w/RTDMI

We also recommend disabling outbound SMB protocol access (block port 445 from internal networks to outside internet) as an extra measure to prevent external NTLM hash leakage. Please note that Outlook Clients running on non-Windows operating systems are not vulnerable.

For further details on this vulnerability please refer to:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.