Patch Not Sufficient?

Microsoft released a patch for the Outlook vulnerability on Tuesday as part of its monthly release of bug fixes, known as Patch Tuesday. However, some security researchers have determined that the patch is not enough. Chell, of MDSec, said in a tweet that “following some additional testing of #CVE-2023-23397 - I can confirm MS have only partially fixed this. You can still trigger auth to systems in trusted zones - ie other [Active Directory] joined systems, which can then be relayed for privilege escalation.”

Security researcher Will Dormann has reported having confirmed Chell’s findings as well. In order to exploit the flaw for privilege elevation on a patched system, an attacker would have to trigger the vulnerability via a local hostname in the network, Hammond said.

In response to an inquiry by CRN about the researchers’ findings Friday, Microsoft said in a statement that “the security update CVE-2023-23397 we released in March protects customers against the leak of NTLM hashes outside of their network. The technique described requires an attacker to already have gained access to internal networks. We encourage customers to apply the update to remain secure.”