What is CVE-2023-23397
CVE-2023-23397 is a Microsoft Outlook Elevation of Privilege Vulnerability. This allows for a NTLM Relay attack against another service to authenticate as the user. SonicWall provides protection against exploits targeting this vulnerability.
Outlook Client on Windows OS (if still unpatched) is vulnerable. For the attack to be successful Outlook needs to be running but the user is is not required to preview email.
How is this exploited:
Attacker can send a specially crafted message file over SMTP and the vulnerability is triggered when victim’s Outlook client accesses this message.
SonicWall Capture Labs provides protection against this threat via :
- ASPY 429: Malformed-msg msg.MP_1(CVE-2023-23397)
- ASPY 430: Malformed-msg msg.MP_2 (CVE-2023-23397)
- Capture ATP w/RTDMI
We also recommend disabling outbound SMB protocol access (block port 445 from internal networks to outside internet) as an extra measure to prevent external NTLM hash leakage. Please note that Outlook Clients running on non-Windows operating systems are not vulnerable.
For further details on this vulnerability please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397