A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to obtain NT LAN Supervisor (NTLM) v2 hashed passwords when opening a specially crafted file.
The issue, tracked as CVE-2023-35636 (CVSS rating: 6.5), was addressed by the tech giant as element of its Patch Tuesday updates for December 2023.
“In an email attack circumstance, an attacker could exploit the vulnerability by sending the specifically crafted file to the consumer and convincing the consumer to open the file,” Microsoft stated in an advisory launched past month.
In a web-primarily based attack situation, an attacker could host a web-site (or leverage a compromised web-site that accepts or hosts person-provided material) containing a specifically crafted file designed to exploit the vulnerability.”
Place in different ways, the adversary would have to convince end users to click a url, both embedded in a phishing email or sent by way of an instantaneous information, and then deceive them into opening the file in dilemma.
CVE-2023-35636 is rooted in the calendar-sharing operate in the Outlook email software, whereby a malicious email message is designed by inserting two headers “Material-Class” and “x-sharing-config-url” with crafted values in buy to expose a victim’s NTLM hash in the course of authentication.
Varonis security researcher Dolev Taler, who has been credited with exploring and reporting the bug, explained NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack techniques, having said that, continue being unpatched.
“What tends to make this intriguing is that WPA attempts to authenticate making use of NTLM v2 more than the open up web,” Taler said.
“Normally, NTLM v2 need to be utilized when attempting to authenticate versus internal IP-tackle-centered expert services. Nonetheless, when the NTLM v2 hash is passing by way of the open up internet, it is susceptible to relay and offline brute-force attacks.”
The disclosure will come as Verify Issue exposed a case of “compelled authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening a rogue Microsoft Entry file.
Microsoft, in October 2023, introduced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security owing to the simple fact that it does not guidance cryptographic methods and is vulnerable to relay attacks.
Located this article attention-grabbing? Observe us on Twitter and LinkedIn to examine a lot more special material we publish.
Some parts of this article are sourced from:
thehackernews.com