Activity Feed
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-exploited-vulnerability-catalog)
Technical Analysis
Upon creation of a new user or when an existing user changes their user name, some local environment variables are updated to reflect those changes. The functionality involved in making these changes uses the \u0000 character as a delimiter, allowing for injection of environment variables into the user name if input such as username\u0000ENV_VAR=VALUE is used. The GIT_EXTERNAL_DIFF environment variable will execute the script that it’s assigned to when git diff is called, which can occur by viewing a diff in a repository hosted with Bitbucket.
An attacker must be able to modify or set a user name in order to inject an environment variable and payload into it. Bitbucket appears to only allow users in the admin and sys admin groups this particular permission. In some cases, this vulnerability can be exploited without authentication through the allow public signup feature in Bitbucket, a non-default feature which permits account creation for anyone that has public access to the server. While this means an attacker has control over the user name and can consequently inject a payload into it, they cannot change the user name. This doesn’t bode well for attackers who want to evade detection.
Exploit attempts can be detected in various ways. Length restrictions on the user name make it difficult to drop anything other than a simple shell on the target, leading to multiple name change requests in the logs. Additionally, the user name, including the GIT_EXTERNAL_DIFF= string will appear in the logs and will remain on the site if exploited through the public signup option. Lastly, the GIT_EXTERNAL_DIFF environment variable will remain set if exploitation fails.
Technical Analysis
Description
CVE-2023-23397 is a zero-interaction vulnerability in Microsoft Outlook patched in the March 14, 2023 Patch Tuesday release. This vulnerability was reported to Microsoft as exploited in the wild by CERT-UA (Ukrainian CERT) which has strongly implied nation-state exploitation. Microsoft has released an advisory via MSRC. Although the vulnerability is technically an elevation of privilege (EoP) vulnerability, under certain conditions, the impact of this vulnerability is functionally equivalent to an authentication bypass.
Affected products include:
- All versions of Microsoft Outlook for Windows are impacted.
- Versions of Microsoft Outlook for Mac, iOS, Android, Outlook web access, and Microsoft 365 are not affected.
Technical analysis
Rapid7 analysts have corroborated MDSec’s analysis of the audit script provided by Microsoft. According to this analysis, the vulnerability results from the receipt of a crafted Outlook MSG file where the ”PidLidReminderFileParameter” – a message property that accepts a universal naming convention (UNC) path – is set to an attacker-controlled resource, such as an IP address.
By setting this parameter to an external IP, it will trigger NTLM authentication to this IP address whether or not the email has been viewed in the preview pane. That is, the connection to the attacker-controlled SMB server will send the user’s NTLM negotiation message, which allows an attacker to relay that message to authenticate against other systems that support NTLM authentication. In effect, this means that the receipt of a crafted MSG file can result in user impersonation against certain systems – essentially an authentication bypass.
Guidance
Microsoft Outlook users are encouraged to patch as soon as possible. Additionally, outbound connections on port 445 should be blocked by a firewall.
Adding users to the Protected Users Security Group will prevent the use of NTLM as an authentication mechanism, but may impact applications that require NTLM.
Microsoft has provided documentation and a script to determine if your organization was targeted by threat actors.
References
- Government or Industry Alert
Technical Analysis
Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.
By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.
Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.
CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397
