Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)
Hi All,
There is a Outlook Escalation of Privilege Vulnerability in Outlook. Tony Redmond has explained that very well
Outlook Elevation of Privilege Vulnerability Leaks Credentials via NTLM
Microsoft Outlook Elevation of Privilege Vulnerability
Exchange CSS has released a Script to test and mitigate
CVE-2023-23397 script
Exchange On Prem
You need to have an RBAC Admin Role that allows Application Impersonation and assign an Account.
If you don't have that Role you can create it
New-RoleGroup -Name "CVE-2023-23397-Script" -Roles "ApplicationImpersonation" -Description "Permission to run the CVE-2023-23397 script
You can also create a Throttling Policy
New-ThrottlingPolicy CVE-2023-23397-Script
Set-ThrottlingPolicy "CVE-2023-23397-Script" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity "ewservice@icewolf.ch" -ThrottlingPolicy "CVE-2023-23397-Script"
Set-ThrottlingPolicy "CVE-2023-23397-Script" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity "ewservice@icewolf.ch" -ThrottlingPolicy "CVE-2023-23397-Script"
Let's check that Throttling Policy
Get-ThrottlingPolicy -Identity CVE-2023-23397-Script | fl ews*, cpa*
Download the Script and run it in a Exchange Management Shell
Get-Mailbox | .\CVE-2023-23397.ps1 -Environment Onprem -EWSServerURL http://<ExchangeServerName>/ews/exchange.asmx
You will need to provide the Credentials of the Account you are using to connect to EWS
No Mailbox with a vulnerability found
Exchange Online
You will need to have the AzureAD PowerShell Module installed
Install-Module AzureAD
Now you need to create the AzureAD Application and you need to have the Global Administrator or an Application Administrator Role.
.\CVE-2023-23397.ps1 -CreateAzureApplication
This will Create an AzureAD Application
And set the Permission "full_access_as_app" which is like Impersonation.
Now you need to connect to Exchange Online
Connect-ExchangeOnline
Now you can scan your environement
Get-Mailbox | .\CVE-2023-23397.ps1 -Environment "Online"
You need to Authenticate to register a new Client Secret. That's why the Script has to wait for 60 Seconds
Every time you run the Script it will register a new Client Secret
I have a lot of Test Mailboxes with no Licenses assigned.
If no vulnerable Items are found the Azure AD Application can be deletet
.\CVE-2023-23397.ps1 -DeleteAzureApplication
Regards
Andres Bohren