A recently addressed security vulnerability in Microsoft Outlook exposes users to potential exploitation by malicious actors aiming to access NT LAN Manager (NTLM) v2 hashed passwords through specially crafted files. The flaw, identified as CVE-2023-35636, has been rated with a CVSS score of 6.5 and was patched during Microsoft’s December 2023 Patch Tuesday updates.
Microsoft clarified in a recent advisory that in an email attack scenario, cybercriminals could leverage this vulnerability by sending targeted users a crafted file, persuading them to open it. Similarly, in a web-based attack, hackers could host a website, or use a compromised one, to serve malicious content designed specifically to exploit this vulnerability.
The exploit stems from the calendar-sharing feature within the Outlook application, where attackers can generate a harmful email message that includes two specific headers, “Content-Class” and “x-sharing-config-url,” populated with malicious values to extract the NTLM hash during user authentication. This flaw highlights the significant risk associated with improper handling of user data through shared resources.
Notably, Varonis security researcher Dolev Taler, who uncovered the issue, has indicated that NTLM hashes could be exposed through techniques involving Windows Performance Analyzer (WPA) and Windows File Explorer. Importantly, these avenues of attack remain unaddressed with a current patch.
Taler emphasized that the WPA attempts to authenticate using NTLM v2 across the open web, where these hashes can become particularly vulnerable to relay and brute-force attacks. Traditionally, NTLM v2 is reserved for authentication to services reliant on internal IP addresses. However, transmitting NTLM v2 hashes across the open internet significantly raises the risks of exploitability.
The awareness of this vulnerability surfaces concurrently with Check Point’s findings of a “forced authentication” tactic, which manipulates a Windows user’s NTLM tokens into being leaked through a deceptive Microsoft Access file. This alarming trend underscores the ongoing challenges posed by related vulnerabilities in prominent applications.
In response to these growing security concerns, Microsoft announced its intent to phase out NTLM in favor of Kerberos in Windows 11. This strategic shift aims to bolster security, given the inadequacies of NTLM regarding cryptographic protocols and its susceptibility to relay attacks, reinforcing the need for more robust authentication methods in cybersecurity practices.
As businesses increasingly depend on remote collaboration tools, the implications of such vulnerabilities on organizational security posture cannot be overlooked. Understanding the tactics employed by adversaries, as outlined in the MITRE ATT&CK framework—including initial access and credential access tactics—offers vital insights into potential future mitigations against similar threats.
