Mimecast confirms that as part of our multi-layered approach to security, we have thoroughly reviewed the Microsoft Outlook zero-day vulnerability published on March 14, 2023 and have concluded that the vulnerability does not impact inbound or outbound email for Mimecast Secure Email Gateway customers.
We have created additional protection for our Cloud Integrated customers. However, as customers’ internal emails do not pass through our platform, there is still a potential risk, we would recommend all customers follow the guidance provided here: CVE-2023-23397 - Security Update Guide - Microsoft - Microsoft Outlook Elevation of Privilege Vulnerability.
Mimecast is continuing to test and monitor this vulnerability as more information becomes available.
Additional Support Document:
To exploit the vulnerability, specific Microsoft MAPI properties in Outlook Meeting requests are altered to specify a UNC path. When the request is received, an NTLM authentication can occur immediately to the specified UNC path. Mimecast has conducted POC tests against our secure email gateway and found that when the vulnerability is sent directly through the Mimecast platform it is neutralized either by existing protection, or via newly created signatures. The MAPI properties being altered are Microsoft attributes.
While RFC compliant attributes are retained or converted, Microsoft attributes such as PidLidReminderFileParameter are dropped, as Mimecast does not use a Microsoft MTA. If Outlook MSG files are sent as attachments, the Microsoft attributes would not be dropped. At this time, we are seeing all known examples being detected by anti-virus signatures.
Note, because internal customer emails do not pass through the Mimecast platform, there is still a potential risk and Mimecast strongly recommends deploying the latest Microsoft Outlook security patch to mitigate the exploitation of this vulnerability. Microsoft has also provided a script (https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/) that can be used to check if an exploit has been attempted