overview

Microsoft has recently patched several critical vulnerabilities impacting Outlook. The primary focus of this notice is on CVE-2023-23397, previously exploited by the Russian-state-sponsored threat actor Forrest Blizzard, and its associated bypass, CVE-2023-35384, along with a new remote code execution vulnerability, CVE-2023-36710. 

CVE-2023-23397: Outlook Vulnerability Exploited by Forrest Blizzard 

  • This critical vulnerability allowed threat actors to extract NTLM credentials during Outlook client connections to an attacker-controlled server. 
  • Exploitation of this zero-click vulnerability was observed in the wild by the Russian-state-sponsored threat actor Forrest Blizzard. 
  • Microsoft patched this vulnerability in March 2023, but a new bypass (CVE-2023-35384) has been discovered, allowing threat actors to load a malicious audio file into Outlook, bypassing the security patch. 

CVE-2023-35384: Windows HTML Platforms Security Feature Bypass 

  • A security feature bypass vulnerability in the CreateFile function, causing path-type confusion between local device paths and URLs. 
  • This allows threat actors to leverage the bypass as an advantage, loading a malicious audio file into Outlook and bypassing the security patch. 
  • CVSS score is 6.5. 

CVE-2023-36710: Windows Media Foundation Core Remote Code Execution 

  • A remote code execution vulnerability exists in the Windows Media Foundation Core, specifically in the mapWavePrepareHeader function. 
  • The vulnerability is triggered by playing a malicious audio file, susceptible to an integer overflow attack. 
  • CVSS score is  7.8 and the smallest possible exploitable file size is approximately 1 GB. 

 

 

avertium's recommendationS

  • Organizations are strongly advised to follow Microsoft's guidance for detecting and mitigating the original Outlook vulnerability. You may find patch guidance for CVE-2023-23397 in Microsoft’s advisory 
  • Due to the identified bypass (CVE-2023-35384), extra caution is recommended, and additional measures may be necessary to prevent exploitation. You may find guidance in Microsoft’s advisory 
  • You may also find guidance for CVE-2023-66710 in Microsoft’s Advisory 
  • Akamai has published a comprehensive report detailing the vulnerabilities, source code, functions, and workarounds for reference. 


 

 

INDICATORS OF COMPROMISE (IoCs)

CVE-2023-23397 

URLs 

  • \\5.199.162[.]132\SCW 
  • \\101.255.119[.]42\event\2431 
  • \\101.255.119[.]42\mail\a5b3553d 
  • \\181.209.99[.]204\information 
  • \\213.32.252[.]221\silence 
  • \\168.205.200[.]55\test 
  • \\213.32.252[.]221\fwd 
  • \69.162.253[.]21\pets 
  • \\185.132.17[.]160\aojv43 
  • \\69.51.2[].106\report 
  • \\113.160.234[.]229\istanbul 
  • \\85.195.206[.]7\lrmng 
  • \\24.142.165[.]2\req 
  • \\85.195.206[.]7\power 
  • \\61.14.68[.]33\rem 
  • \\42.98.5[.]225\ping 

IP Addresses  

  • 101.255.119[.]42 
  • 181.209.99[.]204 
  • 213.32.252[.]221 
  • 168.205.200[.]55 
  • 69.162.253[.]21 
  • 185.132.17[.]160 
  • 69.51.2[.]106 
  • 5.199.162[.]132 
  • 24.142.165[.]2 

At this time, there are no known IoCs associated with CVE-2023-35384 and CVE-2023-66710. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 

  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  

  • Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 


 

 

SUPPORTING DOCUMENTATION

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers (thehackernews.com) 

Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits (thehackernews.com) 

CVE-2023-35384 - Security Update Guide - Microsoft - Windows HTML Platforms Security Feature Bypass Vulnerability 

Released: March 2023 Exchange Server Security Updates - Microsoft Community Hub 

CVE-2023-36710 - Security Update Guide - Microsoft - Windows Media Foundation Core Remote Code Execution Vulnerability 

CVE-2023-35384 - Security Update Guide - Microsoft - Windows HTML Platforms Security Feature Bypass Vulnerability 

Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 1 | Akamai 

Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability | Securelist 

 

Chat With One of Our Experts




Flash Notice Microsoft Vulnerability Critical Vulnerability Microsoft Outlook Outlook Blog