Unveiling the Outlook Vulnerability: A Gateway to Your NTLM Passwords

In the ever-evolving landscape of cybersecurity, researchers have recently unearthed a critical security flaw in Microsoft Outlook, shedding light on a potential threat to the integrity of NT LAN Manager (NTLM) v2 hashed passwords. This vulnerability, officially labeled as CVE-2023-35636 with a CVSS score of 6.5, has been addressed by Microsoft in its Patch Tuesday updates for December 2023.

The Exploitable Gap

In an alarming scenario outlined by Microsoft in a recently released advisory, the vulnerability could be exploited in email attacks. Threat actors might send a specially crafted file to users, persuading them to open it and unwittingly expose their NTLM v2 hashed passwords. Additionally, in a web-based attack, a malicious actor could host a website containing the crafted file, capitalizing on user interactions to exploit the vulnerability.

The Anatomy of the Vulnerability

At the heart of CVE-2023-35636 lies a flaw within the calendar-sharing function of the Outlook email application. Attackers leverage this weakness by creating a malicious email message with carefully inserted headers, namely "Content-Class" and "x-sharing-config-url." These headers, when manipulated, can reveal a victim's NTLM hash during authentication.

Varonis security researcher Dolev Taler, credited with discovering and reporting the bug, emphasizes the gravity of the situation. Taler highlights that NTLM hashes could potentially be leaked by exploiting Windows Performance Analyzer (WPA) and Windows File Explorer. Intriguingly, these two attack methods remain unpatched, exposing users to potential risks.

The Intriguing Twist

What adds a layer of complexity to this vulnerability is the revelation by Taler that WPA attempts to authenticate using NTLM v2 over the open web. Normally reserved for internal IP-address-based services, the vulnerability arises when the NTLM v2 hash traverses the open internet, becoming susceptible to relay and offline brute-force attacks.

Forced Authentication and Future Security Measures

As if this weren't enough cause for concern, Check Point recently disclosed a case of "forced authentication." This tactic could potentially weaponize the leak of a Windows user's NTLM tokens by tricking them into opening a rogue Microsoft Access file.

Microsoft's response to evolving threats is evident in its decision, announced in October 2023, to discontinue NTLM in Windows 11. The move towards embracing Kerberos is motivated by the need for enhanced security, given NTLM's lack of support for cryptographic methods and vulnerability to relay attacks.

Conclusion: Safeguarding Against Vulnerabilities

The uncovering of the Outlook vulnerability serves as a stark reminder of the constant cat-and-mouse game between security researchers and threat actors. As we navigate the intricacies of email and web-based attacks, the importance of promptly applying security patches cannot be overstated. Microsoft's proactive measures, such as discontinuing NTLM in Windows 11, underscore the industry's commitment to staying one step ahead in the battle for cybersecurity. Users and organizations alike must remain vigilant, adopting robust security practices to mitigate the risks posed by evolving vulnerabilities.