A recently addressed security loophole in Microsoft Outlook has been identified as a potential avenue for threat actors to obtain NT LAN Manager (NTLM) v2 hashed passwords when accessing a specially designed file.
This security concern, denoted as CVE-2023-35636 (CVSS score: 6.5), was resolved by Microsoft as part of its December 2023 Patch Tuesday updates.
According to a statement from Microsoft in an advisory issued last month, “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.”
The statement further notes, “In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”
In simpler terms, the attacker would need to persuade users to click on a link, which could be embedded in a phishing email or transmitted via an instant message, and then prompt them to open the specified file.
The vulnerability, CVE-2023-35636, originates from the calendar-sharing functionality within the Outlook email application. In this method, a malicious email message is crafted by inserting two headers, “Content-Class” and “x-sharing-config-url,” with manipulated values to expose a victim’s NTLM hash during the authentication process.
Dolev Taler, a security researcher at Varonis credited with identifying and reporting the flaw, highlighted the potential leakage of NTLM hashes by utilizing Windows Performance Analyzer (WPA) and Windows File Explorer. However, these two attack vectors remain unpatched.
Taler explained the significance of this discovery, stating, “What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web.”
He added, “Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.”
This revelation coincides with Check Point’s identification of a case involving “forced authentication,” which could potentially be exploited to leak a Windows user’s NTLM tokens by deceiving them into opening a rogue Microsoft Access file.
In a separate development, Microsoft announced in October 2023 its intentions to discontinue NTLM in Windows 11 in favor of Kerberos for enhanced security, citing NTLM’s lack of support for cryptographic methods and susceptibility to relay attacks.