A now-patched security flaw in Microsoft Outlook may very well be exploited by risk actors to entry NT LAN Supervisor (NTLM) v2 hashed passwords when opening a specifically crafted file.
The difficulty, tracked as CVE-2023-35636 (CVSS rating: 6.5), was addressed by the tech large as a part of its Patch Tuesday updates for December 2023.
“In an electronic mail assault situation, an attacker may exploit the vulnerability by sending the specifically crafted file to the person and convincing the person to open the file,” Microsoft stated in an advisory launched final month.
In a web-based assault situation, an attacker may host an internet site (or leverage a compromised web site that accepts or hosts user-provided content material) containing a specifically crafted file designed to take advantage of the vulnerability.”
Put in a different way, the adversary must persuade customers to click on a hyperlink, both embedded in a phishing electronic mail or despatched through an prompt message, after which deceive them into opening the file in query.
CVE-2023-35636 is rooted within the calendar-sharing operate within the Outlook electronic mail utility, whereby a malicious electronic mail message is created by inserting two headers “Content material-Class” and “x-sharing-config-url” with crafted values so as to expose a sufferer’s NTLM hash throughout authentication.
Varonis security researcher Dolev Taler, who has been credited with discovering and reporting the bug, stated NTLM hashes may very well be leaked by leveraging Home windows Efficiency Analyzer (WPA) and Home windows File Explorer. These two assault strategies, nonetheless, stay unpatched.
“What makes this fascinating is that WPA makes an attempt to authenticate utilizing NTLM v2 over the open internet,” Taler stated.
“Normally, NTLM v2 needs to be used when trying to authenticate in opposition to inside IP-address-based companies. Nonetheless, when the NTLM v2 hash is passing by means of the open web, it’s susceptible to relay and offline brute-force assaults.”
The disclosure comes as Verify Level revealed a case of “compelled authentication” that may very well be weaponized to leak a Home windows person’s NTLM tokens by tricking a sufferer into opening a rogue Microsoft Entry file.
Microsoft, in October 2023, introduced plans to discontinue NTLM in Home windows 11 in favor of Kerberos for improved security owing to the truth that it doesn’t assist cryptographic strategies and is inclined to relay assaults.
