A now fixed security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file.
The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was fixed by the tech giant as part of its December 2023 Patch Tuesday updates.
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said in an advisory published last month.
In a web-based attack scenario, an attacker could host a website (or exploit a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.
In other words, the attacker would have to convince users to click on a link, either embedded in a phishing email or sent via an instant message, and then trick them into opening the file in question.
CVE-2023-35636 is rooted in the calendar sharing feature in the Outlook email application, where a malicious email message is crafted by inserting two headers “Content-Class” and “x-sharing-config-url” with values crafted in order to expose a victim’s NTLM hash during authentication.
Varonis security researcher Dolev Taler, who was credited with discovering and reporting the bug, said that the NTLM hashes could have been leaked by exploiting Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.
“What makes it interesting is that WPA tries to authenticate using NTLM v2 on the open web,” Taler said.
“Typically, NTLM v2 should be used when attempting to authenticate against internal services based on IP addresses. However, when the NTLM v2 hash passes across the open Internet, it is vulnerable to offline brute force and relay attacks.”
The disclosure comes as Check Point revealed a case of “forced authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening an unauthorized Microsoft Access file.
Microsoft, in October 2023, announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for greater security as it does not support cryptographic methods and is susceptible to relay attacks.