Hackers use known Microsoft Outlook Privilege Escalation Bug

News Summary:

  • Microsoft later attributed these activities to Russian-based actors, but they were used in targeted attacks against a limited number of organizations.

  • Following the discovery that a critical vulnerability in Microsoft Outlook, CVE-2023-23397, was being actively exploited by attackers, Cisco Talos announced that it will update its email client as soon as possible after the vulnerability was discovered. Ask all Outlook users to update their

Exploitation of this vulnerability resulted in attacks from mid-April to December 2022.

The PidLidReminderFileParameter allows the client to specify the file name of the sound to play when the object’s reminder expires.

The CVE-2023-23397 vulnerability affects all Microsoft Outlook products running on Windows operating systems. This is an NTLM vulnerability that can be exploited to steal credentials and gain rich access to your organization by escalating privilege vulnerabilities. An attacker can create emails, calendar invitations, or tasks that contain the PidLidReminderFileParameter MAPI extension property.

This her PidLidReminderFileParameter property is used to specify the path to her SMB share that the attacker controls via her Universal Naming Convention (UNC).

An attacker could use her Net-NTLMv2 hash sent from a vulnerable system to perform her NTLM relay attack on another system.