A now-patched safety flaw in Microsoft Outlook may very well be exploited by risk actors to entry NT LAN Supervisor (NTLM) v2 hashed passwords when opening a specifically crafted file.
The difficulty, tracked as CVE-2023-35636 (CVSS rating: 6.5), was addressed by the tech big as a part of its Patch Tuesday updates for December 2023.
“In an electronic mail assault situation, an attacker might exploit the vulnerability by sending the specifically crafted file to the person and convincing the person to open the file,” Microsoft mentioned in an advisory launched final month.
In a web-based assault situation, an attacker might host an internet site (or leverage a compromised web site that accepts or hosts user-provided content material) containing a specifically crafted file designed to use the vulnerability.”
Put in another way, the adversary must persuade customers to click on a hyperlink, both embedded in a phishing electronic mail or despatched through an immediate message, after which deceive them into opening the file in query.
CVE-2023-35636 is rooted within the calendar-sharing perform within the Outlook electronic mail software, whereby a malicious electronic mail message is created by inserting two headers “Content material-Class” and “x-sharing-config-url” with crafted values to be able to expose a sufferer’s NTLM hash throughout authentication.
Varonis safety researcher Dolev Taler, who has been credited with discovering and reporting the bug, mentioned NTLM hashes may very well be leaked by leveraging Home windows Efficiency Analyzer (WPA) and Home windows File Explorer. These two assault strategies, nevertheless, stay unpatched.
“What makes this attention-grabbing is that WPA makes an attempt to authenticate utilizing NTLM v2 over the open internet,” Taler mentioned.
“Normally, NTLM v2 must be used when making an attempt to authenticate towards inside IP-address-based companies. Nevertheless, when the NTLM v2 hash is passing by the open web, it’s susceptible to relay and offline brute-force assaults.”
The disclosure comes as Verify Level revealed a case of “pressured authentication” that may very well be weaponized to leak a Home windows person’s NTLM tokens by tricking a sufferer into opening a rogue Microsoft Entry file.
Microsoft, in October 2023, introduced plans to discontinue NTLM in Home windows 11 in favor of Kerberos for improved safety owing to the truth that it doesn’t assist cryptographic strategies and is prone to relay assaults.
