Here it is, the code that successfully exploited #CVE202323397 remotely.

It turns out that the ReminderOverrideDefault, ReminderPlaySound, and ReminderSoundFile properties are available on straight-up emails, not just cal invites. Tasks also, but mail is easiest.

So load this function, then run the function as shown.

The result is you and the recipient will have hashes disclosed to the remote SMB server.

I'm once again asking if _anyone_ has seen the PoCs for #CVE202323397 actually work against remote targets.

MDSec demo: local attack
Hammond's demo: local attack
My own testing: local attack

With both flavors of PoC right now, I can only get this thing to trigger on my own machine, but not recipients. The invite is received, but the SMB server is not contacted by the target. I'm wondering if we're missing something here.

#InfoSec #ThreatIntel #CyberSecurity

Good stuff here for detecting #cve202323397

https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/

#ThreatIntel #InfoSec #CyberSecurity

So the Outlook jawn.

Sending NTLMv2 hashes to the web sucks, but to me this is scarier as a post-exploit spearphishing tool. Imagine hanging out in a network with Inveigh/Responder, then being able to email the exact person whose hash you want.

#CVE202323397 #InfoSec #CyberSecurity

Partial mitigation for CVE-2023-23397 if you are running ESET is to configure your trusted zone and enable "Deny NTLM authentication in SMB protocol for connecting a server outside the Trusted zone". (This is ESET firewall Trusted Zone not the Windows one)

While this won't stop the WebDAV authentication it's a good mitigation to consider.

Kudos to @donnymaasland@twitter.com for testing it. https://twitter.com/donnymaasland/status/1635918233487265793

#CVE202323397

#CVE202323397 #Infosec

The in the wild Outlook bug CVE-2023-23397 is a stark REMINDER that complexity (features) can and will bite you in the behind. 😜​

https://attackerkb.com/topics/Vwh3i1yau9/cve-2023-23397/rapid7-analysis?referrer=notificationEmail

#CVE202323397 #Reminder #Outlook #PidLidReminderFileParameter #InTheWild #Microsoft #vulnerability

This article by me at Forbes has now been updated with analysis from Mandiant (now part of Google Cloud), which reports Fancy Bear (APT28) has been exploiting CVE-2023-23397 since April 2022.

"This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term" - John Hultquist, head of Mandiant Intelligence Analysis.

#infosec #microsoft #outlook #zeroday #cve202323397 #mandiant #threatanalysis #news #russiaukrainewar

https://www.forbes.com/sites/daveywinder/2023/03/15/microsoft-outlook-warning-critical-new-email-exploit-triggers-automatically-update-now/

#twinclams now has detection support for #CVE202323397 exploits. Add it to your #clamav installation with #fangfrisch.

https://github.com/twinwave-security/twinclams/commit/de7534849fada879eb613c57db0f421c93f9ed7f

https://blog.frehi.be/2021/01/25/using-fangfrisch-to-improve-malware-e-mail-detection-with-clamav/

While my colleagues are updating Outlook and patching Exchange, I just added a Custom IOA rule in @crowdstrike to detect and block CVE-2023-23397 TCP/445 Emanating from Outlook.

https://www.reddit.com/r/crowdstrike/comments/11sda83/situational_awareness_hunting_microsoft_outlook

#CVE202323397 #atp #mitigation #microsoft #outlook #zeroday