Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

Hi All,

There is a Outlook Escalation of Privilege Vulnerability in Outlook. Tony Redmond has explained that very well

Outlook Elevation of Privilege Vulnerability Leaks Credentials via NTLM

Microsoft Outlook Elevation of Privilege Vulnerability

Exchange CSS has released a Script to test and mitigate

CVE-2023-23397 script



Exchange On Prem

You need to have an RBAC Admin Role that allows Application Impersonation and assign an Account.
If you don't have that Role you can create it

New-RoleGroup -Name "CVE-2023-23397-Script" -Roles "ApplicationImpersonation" -Description "Permission to run the CVE-2023-23397 script


You can also create a Throttling Policy

New-ThrottlingPolicy CVE-2023-23397-Script
Set-ThrottlingPolicy "CVE-2023-23397-Script" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited
Set-Mailbox -Identity "ewservice@icewolf.ch" -ThrottlingPolicy "CVE-2023-23397-Script"



Let's check that Throttling Policy

Get-ThrottlingPolicy -Identity CVE-2023-23397-Script |  fl ews*, cpa*


Download the Script and run it in a Exchange Management Shell

Get-Mailbox | .\CVE-2023-23397.ps1 -Environment Onprem -EWSServerURL http://<ExchangeServerName>/ews/exchange.asmx

You will need to provide the Credentials of the Account you are using to connect to EWS


No Mailbox with a vulnerability found


Exchange Online

You will need to have the AzureAD PowerShell Module installed

Install-Module AzureAD

Now you need to create the AzureAD Application and you need to have the Global Administrator or an Application Administrator Role.

.\CVE-2023-23397.ps1 -CreateAzureApplication


This will Create an AzureAD Application


And set the Permission "full_access_as_app" which is like Impersonation.


Now you need to connect to Exchange Online

Connect-ExchangeOnline

Now you can scan your environement

Get-Mailbox | .\CVE-2023-23397.ps1 -Environment "Online"


You need to Authenticate to register a new  Client Secret. That's why the Script has to wait for 60 Seconds


Every time you run the Script it will register a new Client Secret



I have a lot of Test Mailboxes with no Licenses assigned.



If no vulnerable Items are found the Azure AD Application can be deletet

.\CVE-2023-23397.ps1 -DeleteAzureApplication



Regards
Andres Bohren