Getting no hits for CVE-2023-23397 in our environment, any reasons/ solution?

Getting no hits for CVE-2023-23397 in our environment, any reasons/ solution?

I have the same thing. My console version is 6.6.185

Curious if you are doing agent based scanning or engine based.

We are doing agent based scanning and seeing the same thing. Has Rapid7 release a check for the Insight Agent to look for this CVE? Or is the check only engine based at this time?

Hi there,

We’ve released a number checks for CVE-2023-23397 – these should work with Agent-based assessments as well as authenticated scans with the Scan Engine.

Please open a support case with details about any system in your environment with an unpatched installation of Outlook where this CVE is not reporting vulnerable. In the case of an Engine-based scan, please include logs with “enhanced logging” enabled to help our support team troubleshoot any accuracy issues.

Can you please verify the checks for systems running Outlook 2016?

We have numerous systems running Office 2016, and they are appearing in other vulnerability checks (including other CVEs covered this patch Tuesday), but CVE-2023-23397 is not listed for those.

We definitely have checks for Outlook 2016. Does “Outlook 2016” or “Microsoft Outlook 2016” show up in the Installed Software listing for the assets?

A support case would be recommended if you’re not seeing the results you expect. That said, our team is looking into these reports.

Just replying so you don’t feel like you are on an island. We also had too few detections via Agents. Our supplementary scanning tool (another vendor) found all of our workstations impacted. So it looks like R7 is just slow to locate all of the impacted versions for some reason.

The detections finally started reporting in via agents on Friday for us, but now I have updated Office 365 installations still showing as vulnerable when scanned. R7 claims I have Microsoft Outlook 365 16.0.15928.20282 installed, while Outlook says its Version 2301 Build 16.0.16026.20214.

Anyone else seeing this?

Microsoft published a powershell script for both on-prem Exchange and 365-based Exchange which will identify if the vulnerable property that allows for this exploit lives in someone’s mailbox.

Additionally, the script will either “clean” or “delete” based on those findings.

Due to the severity of this vulnerability and the recent public disclosure, I (my org) went this route while using IDR as a backup alert mechanism and got any vulnerable emails/tasks/etc… expelled asap.

Also seeing this on my side, supplementary scanner from another vendor correctly reporting the findings.
Insight VM is not will be opening a case

Theres more you can do:
#1 block 445 to Internet in your Corporate Network
#2 block 445 to Internet using Windows Firewall for Homeworkers
#3 in case you have: use Defender for Endpoint Queries to detect and isolate affected hosts.

I see result in my InsightVM for CVE-2023-23397 Vulnerabilities Tab…