BSI warns: exploitation of a vulnerability in MS Outlook

B2B Cyber ​​Security ShortNews
Advertising

Share post

The BSI warns of a vulnerability in Outlook that is apparently already being actively exploited. The CVSS value of the vulnerability is 9.8 and is therefore considered critical. Microsoft is already providing an update that should be installed immediately if it didn't happen automatically.

On March 14, 2023, Microsoft released updates for numerous vulnerabilities as part of its monthly Patch Days - including several patches for security vulnerabilities that are classified as "critical" according to the Common Vulnerability Scoring System (CVSS) with values ​​of 9.0 and higher.

Advertising

Important patch ready

The publications include: the patch for a "Microsoft Outlook Elevation of Privilege Vulnerability" (CVE-2023-23397; CVSS score 9.8), where the company indicates that the vulnerability is already being actively exploited. According to this, attackers could use a manipulated e-mail to intercept Net-NTLMv2 hashes. The attack already occurs when the e-mail is processed on the e-mail server - no action by the recipient is necessary. All versions of Outlook for Windows are affected. More information can be found in Microsoft's blog post.

More critical vulnerabilities with 9.8 out of 10

Microsoft lists the following vulnerabilities as rated with the highest CVSS scores, but not yet actively exploited according to the current state of knowledge:

Advertising
  • HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2023-23392; CVSS score 9.8): A vulnerability in primarily Windows Server 2022 if the HTTP/3 protocol is enabled.
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2023-21708; CVSS Score 9.8): Affected are Windows servers whose port 135 (RPC Endpoint Mapper) can be reached.
  • Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability (CVE-2023-23415; CVSS score 9.8): If an application on the system uses raw sockets, code could be executed remotely on the system using manipulated IP packets.

IT security managers should check the installation of the published patches promptly. In doing so, mitigation of the "Microsoft Outlook Elevation of Privilege Vulnerability" (CVE-2023-23397) described above should be pursued with particular priority due to the exploitation that has already been observed. In addition, it is strongly recommended to review the other updates in the short term. Although no attacks are known here yet, the manufacturer assumes that there is a high probability that they will take place.

According to Microsoft, attackers can use the Net-NTLMv2023 hashes obtained by exploiting CVE-23397-2 for NTLM relay attacks. NTLM relay attacks can be mitigated by activating strict SMB and LDAP signing, Extended Protection for Authentication (EPA) or ideally by completely disabling NTLM authentication. Microsoft provides a script to investigate whether an attack on its own systems has already taken place.

More at BSI.bund.de

 


About Microsoft Germany

Microsoft Deutschland GmbH was founded in 1983 as the German subsidiary of Microsoft Corporation (Redmond, USA). Microsoft is committed to empowering every person and company in the world to achieve more. This challenge can only be mastered together, which is why diversity and inclusion have been firmly anchored in the corporate culture from the very beginning.

As the world's leading manufacturer of productive software solutions and modern services in the age of intelligent cloud and intelligent edge, as well as a developer of innovative hardware, Microsoft sees itself as a partner to its customers to help them benefit from the digital transformation. Security and data protection have top priority when developing solutions. As the world's largest contributor, Microsoft is driving open source technology through its leading developer platform GitHub. With LinkedIn, the largest career network, Microsoft promotes professional networking worldwide.


 

Matching articles on the topic

Play ransomware exploits Windows zero-day vulnerability 

According to Symantec, the Play ransomware group and allied groups are using an exploit that targets the zero-day vulnerability CVE-2025-29824. The vulnerability was ➡ Read more

Samsung server software attacked by exploit

A vulnerability was discovered in Samsung MagicINFO 9 in August 2024. After a research report was published in April, ➡ Read more

MITRE CVE program remains in place for the time being

The CVE program, funded by the US government, is considered a crucial component in the global detection of software flaws. Now, funding is to be temporarily suspended. ➡ Read more

LockBit leak site hacked and data stolen

Now LockBit has also become the victim of another hacker: It seems that not only the leak page of the group was hacked, but ➡ Read more

F5 BIG-IP: BSI warns of highly dangerous vulnerabilities

The BSI has issued a warning about F5 products, as they contain several highly dangerous security vulnerabilities that should be closed. The BIG-IP ➡ Read more

Iran, North Korea, Russia: State hackers rely on ClickFix 

State-sponsored hacker groups are increasingly adopting new social engineering techniques originally developed by commercially motivated cybercriminals. ClickFix, for example, is now increasingly ➡ Read more

TA4557: Venom Spider targets HR departments

TA4557, better known as Venom Spider, is increasingly exploiting phishing and trying to deploy its backdoor malware. The focus of the ➡ Read more

Oettinger Brewery attacked by ransomware

The APT group Ransomhouse claims to have successfully attacked the German brewery Oettinger with ransomware. On the APT group's leak page ➡ Read more