#msoutlook #cve #patchtuesday #march2023 #vulnerability
Mitigations
The following mitigating factors may be helpful in your situation:
Add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM.
Consider using it for high-value accounts such as domain administrators when possible. Note: This may impact applications that require NTLM, but the settings will be restored once the user is removed from the Protected Users group. Please see Protected Users Security Group for more information.
Block TCP 445/SMB going out of your network using a perimeter firewall, local firewall, and through your VPN settings. This will prevent NTLM authentication messages from being sent to remote file shares.
Details
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as the basis of an NTLM Relay attack against another service to authenticate as a user.
Is the preview pane an attack vector for this vulnerability?
The attacker could exploit this vulnerability by sending a specially crafted email that is automatically triggered when retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is displayed in the preview pane.
How could an attacker exploit this vulnerability?
External attackers could send specially crafted emails that cause the victim to log in to an external UNC location under the attackers' control. This will leak the victim's Net-NTLMv2 hash to the attacker who can then pass it to another service and authenticate as the victim.
Please take the opportunity to connect and share this video with your friends and family if you find it useful.
No Comments