[긴급] Microsoft Outlook Elevation of Privilege vulnerability (latest post : 17-03-2023)

on




 CVE-2023-23397

CVSS 3.1 score 9.8 (Critical)


The Redmond, a software company, have declared that a severely critical zero-day vulnerability has been found in all versions of MS Outlook on Tuesday 14th March.


[what has been clarified so far]


1) It only impacts to Windows-based version of Outlook, not Non-Windows-based

                                                                    such as Android, macOS, iOS, web-based versions.


2) An attacker steals NTLM credentials by simply sending the target a malicious email.


3) Attackers can snatch Information by only sending an email to victims, not opening.

(No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.)


4) Windows New technology LAN Manager (NTLM) : is an authentication method

used to login to Windows domains using hashed login credentials.

(Apparenclty, despite of pretty much well-known risks, NTLM is still being widely used on

new systems for compatibility with older systems.)


5) works with password hashes that server receives from a client,

when it attempts to access a shared resource (such as SMB shares).

If stolen, these hases can be used to authenticate on the network.

--------> MS explained that an attacker can use CVE-2023-23397 to obtain NTLM hashes

by sending a message with an extended MAPI property with a UNC path to an SMB (TCP 445)

share on a threat actor-controlled server.


6) Attackers send messages with extended MAPI properties,

containing UNC paths to an SMB share (TCP 445) under their control.

MS explains that the connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.


- MAPI (Microsoft Outlook Messaging API) :

one of the canonical properties of MS.

Each canonical property corresponds to one or multiple related MAPI properties.


- UNC (Universal Naming Convention) path

컴퓨터 내의 공유 파일을 내부 네트워크가 아닌 외부 네트워크에서도 확인이 가능하게 명시하여 확인하는 방법.

윈도우 운영체제에서는 \\servername\sharename\path\filename 

식으로 명시가 된다.


- SMB (Server Message Block) :

/ 도스나 윈도우에서 파일이나 디렉터리 및 주변 장치들을 공유하는데 사용되는 메시지 형식.

/ 많은 네트워크 제품들이 이 SMB를 사용 중. (NetBIOS)

/ (SMB 기반 네트워크 예시 :

LAN Manager, Windows for WorkGroups, 윈도우 NT, LAN server.

Samba : 서로 다른 운영 체제 사이에 파일을 공유할 수 있도록 하기 위해 SMB 사용하는 제품. - 유닉스와 윈도우 컴퓨터들 간에 디렉터리와 파일을 공유할 수 있게 해준다.)

(여담: 대부분 MS Windows를 실행하고 있는 컴퓨터에서 이용되기 때문에 사용자들은 이를 단순히 '마이크로 소프트 윈도우 네트워크' 정도로 알고 있는 모양.)


- SMB Protocol : 네트워크 파일 공유 프로토콜.

(주요 기능)

구분 -> Application layer or Presentation layer protocol (OSI network model)

전송을 위해 하위 수준 프로토콜 사용.


[Solution]


- all Firewall engineers must check their Firewall setting, if Outbound SMB traffic has been allowed.

(If yes, it has to be blocked immediately)


- If possible (In small BA (Business Area))

    (Although it's not really recommended),

    Active Directory admins would move users to a 'Protected User Security Group',

    or at least add on-premises accounts there.

Windows 2012 R2 and newer domain controllers support this group,

which prevents the use of NTLM as an authentication method by group members.

(According to MS, adding 'everybody' to the group might impact applications that require NTLM,

thus this is a alternative tactic used for selected high-profile accounts.)




[Reference]

https://success.trendmicro.com/dcx/s/solution/000292525?language=en_US

https://www.securityweek.com/microsoft-patch-tuesday-zero-day-attacks/

https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/

Comments

Post a Comment