Remediation of CVE-2023-23397 - Outlook SMB Vulnerability
On 14 March 2023 Microsoft released a security fix for CVE-2023-23397. This vulnerability is a particularly bad one because the exploit requires no user interaction to trigger!
Brian Scheewe
Wednesday, March 22, 2023
On 14 March 2023 Microsoft released a security fix for CVE-2023-23397. This vulnerability is a particularly bad one because the exploit requires no user interaction to trigger! This post won't go into the details of the vulnerability itself because much has already been written on the subject. Instead we'll focus on how to address this vulnerability with PowerShell.
One of the challenges that IT teams are facing is that there are often several versions of Outlook running in their organizations. The newer versions of Office can be patched from the command line with "OfficeC2RClient.exe", however older version will need to be updated through Windows Update. In both cases, it's probably best to deploy the fix for this vulnerability immediately instead of waiting on the normally scheduled patch cycle.
OfficeC2RClient.exe can update supported versions of Office silently with the following command:
copy
OfficeC2RClient.exe /update user updatepromptuser=false forceappshutdown=true displaylevel=false
For older versions of Office, we can use the PSWindowsUpdate module to call for a specific patch to be installed from Windows Update. This module can be downloaded from the PowerShell Gallery. The following commands show how to install the specific patches from Windows update:
Before we just fire off these commands, we should first do some discovery on the devices to determine what version of Outlook is installed and if the Outlook version is vulnerable. This discovery must take into account the legacy Office model and the newer click-to-run model of installation.
The following script will perform that discovery, check the version of Outlook and run the relevant patch. I can't take credit for the entirety of the script because I only improved upon a script from this Reddit post.
copy
# Check for Office Click-To-Run Products
$officeC2R = Get-ItemProperty `
HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, `
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | `
Where-Object { $_.DisplayName -like "*Microsoft Office Professional Plus 2019*" `
-or $_.DisplayName -like "*Microsoft Office Professional Plus 2021*" `
-or $_.DisplayName -like "*Microsoft Office 365*" `
-or $_.DisplayName -like "*Microsoft 365*" }
# Update Click-To-Run Office Products (Office 2019, 2021, 365, etc)
if ($officeC2R -ne $null) {
$installedversion = $officeC2R.DisplayVersion
$installedproduct = $officeC2R.DisplayName
Write-Output "$installedproduct $installedversion installed."
$channel = Get-ItemPropertyValue "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name UpdateChannel
if ($channel -eq 'http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60') {
Write-Output "Current Channel"
$version = '16.0.16130.20306'
}
elseif ($channel -eq 'http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6') {
Write-Output "Monthly Enterprise Channel"
$version = '16.0.16026.20238'
}
elseif ($channel -eq 'http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf') {
Write-Output "Semi-Annual Enterprise Channel (Preview)"
$version = '16.0.16130.20306'
}
elseif ($channel -eq 'http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114') {
Write-Output "Semi-Annual Enterprise Channel"
$version = '16.0.15601.20578'
}
elseif ($channel -eq 'http://officecdn.microsoft.com/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208') {
Write-Output "2019 Volume Licensed Channel"
$version = '16.0.10395.20023'
}
elseif ($channel -eq 'http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e') {
Write-Output "LTSC 2021 Volume Licensed Channel"
$version = '16.0.14332.20481'
}
else {
Write-Output "Channel URL $channel not listed in script"
$version = "N/A"
}
if ($version -ne "N/A") {
if ($installedversion -lt $version) {
Write-Output "$installedproduct needs to be patched"
Start-Process -WindowStyle hidden -FilePath "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" -ArgumentList "/update user updatepromptuser=false forceappshutdown=true displaylevel=false" -Wait
}
else {
Write-Output "$installedproduct is up to date"
}
}
}
# Check for Office 2013 and 2016
$office2013 = Get-ItemProperty `
HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, `
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | `
Where-Object { $_.DisplayName -like "*Microsoft Office Professional Plus 2013*" }
$office2016 = Get-ItemProperty `
HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*, `
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | `
Where-Object { $_.DisplayName -like "*Microsoft Office Professional Plus 2016*" }
if ($office2013) {
"Office 2013 is installed."
}
elseif ($office2016) {
"Office 2016 is installed."
}
else {
"Office 2013 or 2016 are not installed."
exit
}
#Check for NuGet on the device and install if not present
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
if (Get-PackageProvider -Name NuGet){
Write-Host "NuGet Package already exists"
}
else {
"Installing NuGet"
Install-PackageProvider -Name NuGet -force
}
# Install PSWindowsUpdate PowerShell module if needed
if (!(Get-Module -Name PSWindowsUpdate -ListAvailable)) {
Write-Output "PSWindowsUpdate module not found. Installing module..."
Install-Module -Name PSWindowsUpdate -Force
Import-Module -Name PSWindowsUpdate
}
else {
Write-Output "PSWindowsUpdate module already installed."
}
# Temporarily disable WSUS
$wsusRegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
$wsusValue = Get-ItemPropertyValue -Path '$wsusRegPath' -Name UseWUServer -ErrorAction SilentlyContinue
if ($wsusValue -ne $null) {
Write-Output "Disabling WSUS"
Set-ItemProperty -Path $wsusRegPath -Name UseWUServer -Value 0
}
# Temporarily disable Windows Update for Business deferral period
$wufbRegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wufbValue = (Get-ItemProperty -Path $wufbRegPath -Name DeferQualityUpdatesPeriodInDays -ErrorAction SilentlyContinue).DeferQualityUpdatesPeriodInDays
if ($wufbValue -ne $null) {
if ($wufbValue -ne 0) {
Write-Output "Disabling Windows Update for Business deferral period"
Set-ItemProperty -Path $wufbRegPath -Name DeferQualityUpdatesPeriodInDays -Value 0
}
else {
Write-Output "WUfB deferral period already zero"
}
}
# Check if Office 2013 is installed and if the KB5002265 update is installed
if ($office2013 -ne $null) {
$KB5002265_installed = Get-WindowsUpdate -KBArticleID KB5002265 -IsInstalled
# If the KB5002265 update is not installed, install it
if (!$KB5002265_installed) {
Write-Output "Installing KB5002265 for Office 2013"
Install-WindowsUpdate -KBArticleID KB5002265 -MicrosoftUpdate -IgnoreReboot -Verbose -Confirm:$false
}
else {
Write-Output "No Outlook 2013 CVE-2023-23397 vulnerability"
}
}
# Check if Office 2016 is installed and if the KB5002254 update is installed
if ($office2016 -ne $null) {
$KB5002254_installed = Get-WindowsUpdate -KBArticleID KB5002254 -IsInstalled
# If the KB5002254 update is not installed, install it
if (!$KB5002254_installed) {
Write-Output "Installing KB5002254 for Office 2016"
Install-WindowsUpdate -KBArticleID KB5002254 -MicrosoftUpdate -IgnoreReboot -Verbose -Confirm:$false
}
else {
Write-Output "No Outlook 2016 CVE-2023-23397 vulnerability"
}
}
# Return UseWUServer to previous value
if ($wsusValue -ne $null) {
Write-Output "Enabling WSUS"
Set-ItemProperty -Path $wsusRegPath -Name UseWUServer -Value $wsusValue
}
# Return DeferQualityUpdatesPeriodInDays to previous value
if ($wufbValue -ne $null) {
Write-Output "Enabling Windows Update for Business deferral period"
Set-ItemProperty -Path $wufbRegPath -Name DeferQualityUpdatesPeriodInDays -Value $wufbValue
}
Script Deployment
This script is great for running on a single device, but how about running this on all devices in the organization? There are many ways to accomplish this (psexec, remote PowerShell, etc.) but in this case we're going to leverage the simplicity of Level.io to quickly deploy the script. First, go to Scripts and choose Create Script. Then give the script a name, description, and increase the script timeout in order to give the installers enough time to run.
Creating the new script.
Next go to the Devices page and filter down to the devices on which you want to run this script. In this case it's wise to filter down to Windows workstations that are currently online. And then select all.
Selecting the devices to receive the script.
Next choose Actions -> Run Saved Script and then select the new remediation script and chose Review Job. The job page is brought up, and when ready click "Execute Script" and all the targeted machines will receive and run the script. If the results of the script are needed, press the toggle on the right to open the script results view.
The script has been successfully run!
Now the script output is displayed which will help determine if any further action is required. The feedback is instant which allows the IT teams to deal with any issues in real time.
Please let us know if this was helpful and feel free to share ideas for features or how Level can better support your IT team!
Level: Simplify IT Management
At Level, we understand the modern challenges faced by IT professionals. That's why we've crafted a robust, browser-based Remote Monitoring and Management (RMM) platform that's as flexible as it is secure. Whether your team operates on Windows, Mac, or Linux, Level equips you with the tools to manage, monitor, and control your company's devices seamlessly from anywhere. Ready to revolutionize how your IT team works? Experience the power of managing a thousand devices as effortlessly as one. Start with Level today—sign up for a free trial or book a demo to see Level in action.
.svg)
