A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.

**CVE-2023-0225.html:**

\===========================================================
== Subject:     Samba AD DC "dnsHostname" attribute can be
                deleted by unprivileged authenticated users.
==
== CVE ID#:     CVE-2023-0225
==
== Versions:    Samba 4.17.0 and later versions
==
== Summary:     An incomplete access check on dnsHostName allows
                authenticated but otherwise unprivileged users to
                delete this attribute from any object in the directory.
===========================================================

===========
Description
===========

In implementing the Validated dnsHostName permission check in Samba's
Active Directory DC, and therefore applying correctly constraints on
the values of a dnsHostName value for a computer in a Samba domain
(CVE-2022-32743), the case where the dnsHostName is deleted, rather
than modified or added, was incorrectly handled.

Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion
of the dnsHostName attribute became possible for authenticated but
otherwise unprivileged users, for any object.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)

==========
Workaround
==========

The AD DC LDAP server is a critical component of the AD DC, and it
should not be disabled.  However it can be disabled by setting

 server services = -ldap

in the smb.conf and restarting Samba

=======
Credits
=======

Originally reported by Lukas Mitter of codemanufaktur GmbH.

Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst
and the Samba Team.

Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2023-0225: Samba - Security Announcement Archive

The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.

**CVE-2023-0922.html:**

\===========================================================
== Subject:     Samba AD DC admin tool samba-tool sends passwords in cleartext
==
== CVE ID#:     CVE-2023-0922
==
== Versions:    All versions of Samba since 4.0
==
== Summary:     The Samba AD DC administration tool, when operating
                against a remote LDAP server, will by default send
		new or reset passwords over a signed-only connection. 
===========================================================

===========
Description
===========

Active Directory allows passwords to be set and changed over LDAP.
Microsoft's implementation imposes a restriction that this may only
happen over an encrypted connection, however Samba does not have this
restriction currently.

Samba's samba-tool client tool likewise has no restriction regarding
the security of the connection it will set a password over.

An attacker able to observe the network traffic between samba-tool and
the Samba AD DC could obtain newly set passwords if samba-tool
connected using a Kerberos secured LDAP connection against a Samba AD
DC.

This would happen when samba-tool was used to reset a user's
password, or to add a new user.

This only impacts connections made using Kerberos as NTLM-protected
connections are upgraded to encryption regardless.

This patch changes all Samba AD LDAP client connections to use
encryption, as well as integrity protection, by default, by changing
the default value of "client ldap sasl wrapping" to "seal" in Samba's
smb.conf.

Administrators should confirm this value has not been overridden in
their local smb.conf to obtain the benefit of this change.

NOTE WELL: Samba, for consistency, uses a common smb.conf option for
LDAP client behaviour.  Therefore this will also encrypt the AD LDAP
connections between Samba's winbindd and any AD DC, so this patch will
also change behaviour for Samba Domain Member configurations.

If this is a concern, the smb.conf value "client ldap sasl wrapping"
can be reset to "sign".

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)

==========
Workaround
==========

Set "client ldap sasl wrapping = seal" in the smb.conf or add the
--option=clientldapsaslwrapping=sign option to any samba-tool or
ldbmodify invocation that sets a password.

=======
Credits
=======

Originally reported by Andrew Bartlett of Catalyst and the Samba Team
working with Rob van der Linde of Catalyst.

Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett
of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2023-0922: Samba - Security Announcement Archive

The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.

**CVE-2023-0614.html:**

\===========================================================
== Subject:     Access controlled AD LDAP attributes can be discovered
==
== CVE ID#:     CVE-2023-0614
==
== Versions:    All Samba releases since Samba 4.0

==
== Summary:     The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
                CVE-2018-10919 Confidential attribute disclosure via
                LDAP filters was insufficient and an attacker may be
                able to obtain confidential BitLocker recovery keys
                from a Samba AD DC.

                Installations with such secrets in their Samba AD
                should assume they have been obtained and need
                replacing.
===========================================================

===========
Description
===========

In Active Directory, there are essentially four different classes of
attributes.

 - Secret attributes (such as a user, computer or domain trust
   password) that are never disclosed and are not available to search
   against over LDAP.  This is a hard-coded list, and since Samba 4.8
   these are additionally encrypted in the DB with a per-DB key.

 - Confidential attributes (marked as such in the schema) that have a
   default access restriction allowing access only to the owner of the
   object.

   While a Samba AD Domain makes these attributes available,
   thankfully by default it will not have any of these confidential
   attributes set, as they are only added by clients after
   configuration (typically via a GPO).

   Examples of confidential data stored in Active Directory include
   BitLocker recovery keys, TPM owner passwords, and certificate
   secret keys stored with Credential Roaming.

 - Access controlled attributes (for reads or writes), Samba will
   honour the access control specified in the ntSecurityDescriptor.

 - Public attributes for read.  Most attributes in Active Directory
   are available to read by all authenticated users.

Because the access control rules for a given attribute are not
consistent between objects, Samba implemented access control
restrictions only after matching objects against the filter.

Taking each of the above classes in turn:

 - Secret attributes are prevented from disclosure firstly by
   redaction of the LDAP filter, and secondly by the fact that they
   are still encrypted during filter processing (by default).

 - Confidential and access controlled attributes were subject to an
   attack using LDAP filters.

With this security patch, for attributes mentioned in the search
filter, Samba will perform a per-object access control evaluation
before LDAP filter matching on the attribute, preventing unauthorised
disclosure of the value of (for example) BitLocker recovery keys.

It is not expected that all similar attacks have been prevented, and
it is likely still possible to determine if an object or attribute on
an object is present, but not to obtain the contents.


=============
Further steps
=============

Evidence of an attack will not show up in the logs, except at the
highly verbose level 10, and there is no record as to if a previous
attribute disclosure has taken place.

In addition to updating Samba, it is strongly recommended that steps
be taken to ensure that data that may have been leaked from
confidential or otherwise access-controlled attributes is no longer
useful.

Such steps may include, but are not limited to, re-encrypting
BitLocker encrypted drives, changing TPM passwords, and revoking and
re-issuing certificates that are stored by Credential Roaming (with
new secret keys).


===================
Impacted attributes
===================

In addition to any per-object access control restrictions, the
following attributes in the 2012R2 AD schema have
SEARCH\_FLAG\_CONFIDENTIAL set in the searchFlags by default:

   msDS-IssuerCertificates
   msDS-TransformationRulesCompiled

   Bitlocker:
    msFVE-KeyPackage
    msFVE-RecoveryPassword

   Group Managed Service Accounts:
    msKds-CreateTime
    msKds-DomainID
    msKds-KDFAlgorithmID
    msKds-KDFParam
    msKds-PrivateKeyLength
    msKds-PublicKeyLength
    msKds-RootKeyData
    msKds-SecretAgreementAlgorithmID
    msKds-SecretAgreementParam
    msKds-UseStartTime
    msKds-Version
    (this AD DC feature is not implemented in Samba, and exists only
    in Windows 2012 and later, but could have been replicated to Samba
    in a mixed domain):

   msPKIAccountCredentials
   msPKI-CredentialRoamingTokens
   msPKIDPAPIMasterKeys
   msPKIRoamingTimeStamp
   msTPM-OwnerInformation
   msTPM-OwnerInformationTemp

   unixUserPassword (this value is not used or updated by Samba)

The confidential attributes on your server can be seen (adapt for your
local environment) with:
   
ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' lDAPDisplayName

However, please again note that while unlikely, it is possible via the
nTSecurityDescriptor for any attribute to be made access controlled on
any object, and these cases will not be shown by this command.

==================================
Limitations for indexed attributes
==================================

Additionally, due to the nature of our object indexes, Samba must
evaluate these prior to ACL checking, so read access controlled
information should not be stored in indexed attributes.  This will
allow a timing attack.

Again, taking each of the above classes in turn:

 - Secret attributes cannot be indexed or searched for, so have always
   been protected

 - Confidential attributes are further protected, as this patch will
   prevent attributes marked as 'confidential' from being indexed.
   Search results for these will be safer, but slower.  The impacted
   attributes on your server can be seen (adapt for your local
   environment) with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName

   (This will normally return no results and no such attributes have
   this combination by default)
   
 - Access controlled attributes that are also indexed may be subject
   to timing attacks.

   The list of indexed attributes can be seen (adapt for your local
   environment) with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName

==================
Performance impact
==================

As candidate objects are ACL checked before being compared with the
LDAP filter, avoiding this disclosure, Samba's AD DC LDAP read
performance is reduced, with a 20% performance cost in the worst cases
from our existing performance tests.

Further optimisation of the Samba AD DC LDAP server to ameliorate this
impact has been investigated and is technically possible, but is out
of scope for this security release.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7)

==========
Workaround
==========

Do not store confidential information in Active Directory, other than
passwords or keys required for AD operation (as these are in the
hard-coded secret attribute list).

=======
Credits
=======

Originally reported by Demi Marie Obenour of Invisible Things Lab.

Patches provided by Joseph Sutton of Catalyst and the Samba team,
reviewed by Andrew Bartlett of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team in
collaboration with Joseph Sutton and Demi Marie Obenour.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2023-0614: Samba - Security Announcement Archive

Ubuntu Security Notice 5993-1 - Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information. Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5993-1  
April 03, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Samba could be made to expose sensitive information over the network.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Demi Marie Obenour discovered that the Samba LDAP server incorrectly  
handled certain confidential attribute values. A remote authenticated  
attacker could possibly use this issue to obtain certain sensitive  
information. (CVE-2023-0614)

Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly  
sent passwords in cleartext. A remote attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-0922)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1.1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1.1

Ubuntu 20.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5993-1  
   CVE-2023-0614, CVE-2023-0922

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5993-1

Ubuntu Security Notice 5992-1 - Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5992-1April 03, 2023ldb vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:ldb could be made to expose sensitive information over the network.Software Description:- ldb: LDAP-like embedded databaseDetails:Demi Marie Obenour discovered that ldb, when used with Samba, incorrectlyhandled certain confidential attribute values. A remote authenticatedattacker could possibly use this issue to obtain certain sensitiveinformation.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.22.04.2Ubuntu 20.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.20.04.2After a standard system update you need to restart applications using ldb,such as Samba, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5992-1   CVE-2023-0614Package Information:   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.22.04.2   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5992-1

A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.

A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.

Tracked as CVE-2023-0210, the bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network.

Exploiting the flaw requires sending malformed packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers _“a heap overflow bug in ksmbd\_decode\_ntlmssp\_auth\_blob in which nt\_len can be less than CIFS\_ENCPWD\_SIZE. This results in a negative blen argument for ksmbd\_auth\_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS\_CRYPTO\_KEY\_SIZE). Note that CIFS\_ENCPWD\_SIZE is 16 and CIFS\_CRYPTO\_KEY\_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1\].”_

The vulnerability exists due to the way versions 5.15-rc1 and later of the Linux kernel handle NTLMv2 authentication. Linux kernel developers haven’t released a patch. CVE-2023-0210 was proven to allow for remote panic in the OS immediately on the Ubuntu 20.04 HWE and 22.04 (both running on 5.15.0-56-generic).

Proof of concept code is currently available online, which somewhat increases the immediate danger to device owners. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.

CVE-2023-0210: CVE-2023-0210: Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability.
Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.
"External

Enterprise Security / Microsoft

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability.

Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.

"External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers' control," the company noted in an advisory released this month.

"This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim.

The vulnerability was resolved by Microsoft as part of its Patch Tuesday updates for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting government, transportation, energy, and military sectors in Europe.

Microsoft's incident response team said it found evidence of potential exploitation of the shortcoming as early as April 2022.

In one attack chain described by the tech giant, a successful Net-NTLMv2 Relay attack enabled the threat actor to gain unauthorized access to an Exchange Server and modify mailbox folder permissions for persistent access.

The compromised email account was then used to extend the adversary's access within the compromised environment by sending additional malicious messages to target other members of the same organization.

"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy," Microsoft said.

"Organizations should review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation via CVE-2023-23397."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.

Dubbed Untitled Goose Tool, the Python-based utility offers "novel authentication and data gathering methods" to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, the agency said.

Earlier this year, Microsoft also urged customers to keep their on-premises Exchange servers updated as well as take steps to bolster their networks to mitigate potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.

CVE-2023-1252: [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req

IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task.

**Secure Access for Active Directory Identities, Anywhere**

With MFA, SSO and session management, UserLock can protect all employee access to corporate networks and cloud applications, whether on-site or remote.

Start a Free Trial Book a demo

**One On-Premise Active Directory Identity For secure On-Site, Cloud and Remote Access**

 

**Single Sign-On**

Secure and frictionless access to Microsoft 365 and Cloud applications using only your AD credentials, from anywhere.

Learn more

**Contextual Access Management**

Set rules to authorize, deny or limit any login (including remote access), based on contextual factors:

*   **Origin:** Computer (Windows & Mac), device & location restrictions (such as country, IP address, department, and OU)
*   **Time:** Logon hour restrictions, maximum session length and session time quota
*   **Session type:** Workstation, terminal, Wi-Fi, VPN and IIS sessions
*   **Simultaneous connections:** Limit concurrent logins and initial access points

Learn more

 

**User Login Reporting**

A centralized hub to produce and audit reports on all Active Directory user login events and attempts. Meet regulatory compliance standards, support forensics and track down threats.

Learn more

 

« UserLock offers a level of protection that small, medium and large business should be implementing as part of their security roadmap »

Ricky Magalhaes  
Information Security Analyst

**MFA and Access Management. The Easy Way.**

Easy-to-Use, Enterprise-Caliber Security for On-Premise and Hybrid Active Directory Environments of Any Size

****Protect All AD** User Credentials**

Stop unauthorized access from compromised credentials. Secure AD accounts with strong authentication and granular access policies, before damage is done.

****Manage All AD** User Sessions**

Get real-time visibility and a centralized audit trail on all access events across the hybrid network. Monitor and interact remotely with any session directly from the UserLock console.

****Get Compliant** on Securing Access**

Satisfy regulatory and insurance requirements by proving that all access and usage of data is identifiable, audited and attributed to an individual user.

**Simple to Use**

UserLock is quick to deploy, intuitive to manage, and scales effortlessly for any number of users, to ease the burden on IT.

**Non-Disruptive**

UserLock works seamlessly alongside your existing Active Directory infrastructure, reducing complexity and frustration.

**Easily Adopted**

UserLock’s granular controls allow for customized restrictions that protects access without unnecessarily impeding employees.

**Cost Effective**

Building on your investment in Active Directory, UserLock offers additional, effective and affordable security that stops threats, before damage is done.

**Trusted by over 3400 Organizations**

A proven solution for both small to medium-sized businesses (SMBs) and large organizations,  
including some of the most regulated and security-conscious in the world.

*   MSP & SMBs
*   Government  
    & Defense
*   Finance
*   Healthcare
*   Education
*   Manufacturing  
    & Transportation

UserLock is the best 2FA solution I’ve seen. It’s affordable, easy to install and maintain – an IT Manager’s dream.

**Bill Hopkins**  
Network Administrator at City of Keizer, Oregon

     

We found UserLock very easy to implement and will recommend it to other branches within the bank.

**IT Officer**  
Branch of a Multinational Banking Group, Hong Kong

      

Once we set up UserLock, it was easy to deploy and use. UserLock does what I want it to do and it works.

**Meadville Medical Center**  
Lead Support Tech, Meadville Medical Center

     

UserLock is the ideal solution that helps us meet our network access objectives effectively.

**Don Manning**  
Server Administrator at Albany City School District, New York, United States

      

UserLock MFA is a high quality, full-featured product that performs as advertised.

**Michael Commons**  
System Administrator at Dobbs Peterbilt

      

**Client  
**Testimonials****

 Review by Bill Hopkins - City of Keizer  

**Affordable, Easy to Use With Active Directory**

UserLock allows us to have one single 2FA solution for all of our users. It integrates easily with Active Directory, and is simple to install and maintain. It’s basically an IT Manager’s dream.

 Review by Andreas L.  

**Simple and Reliable**

I've tested several 2FA software. In the end, I stuck with UserLock because it requires no administrative effort. I really like the reports and the control of who is connected to which device.

 Review by Bob B.  

**An Administrators Premier Management Tool!**

In a flash, I can control my users’ login experience, find/identify users computers and remote in for support. It’s just always there for me. I can’t imagine working without it now.

 Review by Gov't Network Tech  

**Awesome Tool For Securing Logons**

Userlock has been a great tool and helped us tighten up our user security. It's used in conjunction with Active Directory and Group Policy to secure all logon types in the domain.

**Expert **Reviews****

« UserLock's solution makes implementing multi-factor authentication (MFA) extremely easy. »

Read the Review

« The MFA for RDP significantly enhances security, especially today with a boom in remote working. »

Read the Review

« The perfect access security partner for Windows Active Directory environments. »

Read the Review

« UserLock is a powerful product that focuses on preventing the internal and external threats related to compromised credentials. »

Read the Review

**Start a free trial now**

30-day full version with no user limits

**MSP Console****The **Licensing Management**  
Platform for UserLock**

The new console for managed service providers (MSPs) is a web-based platform that lets you administer UserLock licenses for all your customers.

Read more

**What's new in UserLock**

**2FA Push Notifications with the UserLock Push App**

Quickly respond to 2FA push notifications from your smartphone

*   Enable Push notifications as a **main or additional MFA method**
*   Easily onboard users with **quick self-enrollment**
*   Choose between **one-tap push approval or a TOTP code**
*   Ensure users **approve the correct request** with location, device, and login attempt info

UserLock Push notifications are a **subscription-only feature**.

Learn more

**New features in the UserLock Web App**

Monitor and respond to network sessions quickly, easily, and from anywhere – and access all-new reporting capabilities.

*   Review key user and session **monitoring** insights
*   Simplify daily **management** and widen UserLock access for IT
*   Manage custom **MFA parameters** and help requests
*   View **MFA configuration** methods per user
*   Get drill-down **reporting** capabilities with improved filtering
*   **Export reports** easily
*   **Apply filters** on admin action reports

Learn more

**UserLock VPN Connect**

Simplify MFA on VPN connections with the new UserLock VPN Connect tool. Simply select your VPN, enter your password, and complete MFA – all in one easy-to-use interface.

Learn more

**MFA for Cloud connections with SSO**

Use existing on premise AD identities for secure and seamless MFA on employee access to Microsoft 365 and cloud applications.

Learn more

**Secure Remote Access with UserLock Anywhere**

Enable UserLock Anywhere to protect remote access when employees aren't connected to the corporate network.

Learn more

**Request a personalized demo now**

Discover how UserLock can help you meet your needs.

**Download UserLock**

*   Latest version
*   Beta version

The trial version offers:

*   30-day full version
*   no user limits
*   free technical support

Supported systems

Please read the Beta Testing Procedure before installing this version.

The beta version includes:

*   30-day full version
*   no user limits
*   free technical support

CVE-2023-23192: Protect Active Directory Identities with 2FA and SSO | UserLock

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Wednesday, March 15, 2023 19:03

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Microsoft released a patch for the privilege escalation vulnerability on Tuesday as part of its monthly security update. Along with the patch, Microsoft released a security advisory detailing the targeted, but limited attacks they saw leveraging this particular vulnerability.

Microsoft subsequently assessed that the activity was associated with Russian based actors and used in limited, targeted attacks against a small number of organizations. The Computer Emergency Response Team of Ukraine first reported the vulnerability to Microsoft.

CVE-2023-23397 does not affect non-Windows versions of Outlook such as apps for Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services. However, the CVSS attack complexity is rated “Low”. An attacker can exploit this vulnerability simply by sending the victim a specially crafted email. The vulnerability is triggered when the Outlook client retrieves and processes the message. According to Microsoft, “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

As of Wednesday evening, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Users should implement the patch as soon as possible. Additionally, Talos has released Snort rules 61478 and 61479, and Snort 3 signature 300464 to detect the exploitation of this vulnerability.

**Vulnerability details**

CVE-2023-23397 affects all Microsoft Outlook products on the Windows operating system. It is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message, calendar invite, or task containing the extended MAPI property “PidLidReminderFileParameter.”

The “PidLidReminderFileParameter” property specifies the “filename of the sound that a client should play when the reminder for that object becomes overdue.” Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Mitigations**

The ideal course of action to address this vulnerability is to install the patch provided by Microsoft. If, for some reason, your organization cannot apply this particular patch, Microsoft also provided a few mitigation options including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network. For full details, see the advisory linked above.

Microsoft also released a script intended to help administrators audit their Exchange server for messaging items (mail, calendar and tasks) that have a PidLidReminderFileParameter property populated with a Universal Naming Convention (UNC) path.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2023-23397  
SIDs:  
Snort 3: 300464  
Snort 2: 61478-61479

Tag

#samba