How do I detect Microsoft Outlook 2013/2016 Privilege Escalation Vulnerability?

Information about the Microsoft Outlook 2013/2016 Privilege Escalation Vulnerability (CVE-2023-23397)

CVE-2023-23397 is a privilege escalation vulnerability actively exploited in the wild.
This vulnerability allows a remote and unauthenticated attacker to retrieve the victim's credentials just by sending a specially-formatted appointment to the user, which triggers automatically when it is retrieved and processed by the Outlook client without any user interaction.

The successful exploitation of this vulnerability allows an attacker to obtain the victim's hashed NTLM credentials and use them to authenticate as the victim to other systems that support NTLM authentication.

To check if your systems are affected by the Microsoft Outlook vulnerability
CVE-2023-23397, you will need to run an Authenticated Network Scan using
Holm Security VMP.

You will find detailed information about setting up your authenticated scanning
profile in this article:

And you can find more information in this section:

If your system is vulnerable, you will find one of the following HIDs in your
generated scan report:

  • HID-2-1-5349142

To scan for this vulnerability specifically, please do the following:

  1. log in to your Security Center
  2. Click on Scan Network > Scans
  3. Click on Scan profile.
  4. Click Create Scan Profile.
  5. Name the profile under General Settings and choose Basic Scan.

  6. Head to Vulnerabilities.
  7. Under Include type in the Vulnerability HID: HID-2-1-5349142.
  8. Head to Authentication and fill in the right credentials. 
  9. Click Submit to save the profile
  10. Now click on Scans > Add new scan > Network scan > Vulnerability scan.
  11. Name your scan under General Settings and choose the pre-created profile.
  12. Head to Targets and choose the target for your scan.
  13. Click Run.
  14. Done!

How do the scripts work?

In our script, we verify the installed version of Microsoft Outlook and check if it's within the vulnerable version range.