Executive Summary

A critical security flaw in Microsoft Outlook, identified as CVE-2023-35636, allows threat actors to compromise NT LAN Manager (NTLM) v2 hashed passwords. This vulnerability, now patched, poses a significant risk, particularly in email and web-based attack scenarios. This advisory provides an in-depth analysis of the issue, potential attack vectors, and recommended mitigations.

Vulnerability Overview

The vulnerability is rooted in the calendar-sharing function of Microsoft Outlook, enabling the exposure of NTLM v2 hashed passwords during authentication. The flaw was discovered by Varonis security researcher Dolev Taler and addressed by Microsoft in December 2023.

Attack Scenarios

Email Attack Scenario:

• Threat actors can exploit the vulnerability by sending a specially crafted file to the user via email.
• The user is tricked into opening the file, leading to the leakage of NTLM v2 hashed passwords.

Web-Based Attack Scenario:

• Attackers can host a website containing a specially crafted file designed to exploit the vulnerability.
• Users are deceived into clicking a link, either through phishing emails or instant messages, resulting in the compromise of NTLM credentials.

CVE Information

• CVE ID: CVE-2023-35636
• CVSS Score: 6.5 (Medium)

Patch Information

The vulnerability has been addressed by Microsoft as part of the Patch Tuesday updates for December 2023. Users are strongly advised to apply the latest patches to mitigate the risk of exploitation.

Mitigation Strategies

• Apply Patches: Ensure all systems are updated with the latest security patches from Microsoft.
• User Awareness: Educate users about the risks associated with opening files from unknown or suspicious sources.
• Web Filtering: Employ web filtering solutions to block access to potentially malicious websites.

Related Threat Intelligence

Varonis researcher Dolev Taler highlights the use of Windows Performance Analyzer (WPA) and Windows File Explorer as unpatched attack vectors. These methods pose additional risks of NTLM hash leakage and relay attacks.

Conclusion

Given the severity of the Outlook vulnerability, organizations and individuals must prioritize the implementation of patches and adopt proactive security measures. This advisory aims to provide a comprehensive understanding of the threat landscape and assist in safeguarding against potential exploitation of NTLM credentials. Stay vigilant and adhere to best practices for securing email and web-based interactions.

References

• https://thehackernews.com/2024/01/researchers-uncover-outlook.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-35636

Contact Us

If you have any questions or require further information on any other cybersecurity matters, please don’t hesitate to contact our dedicated team at socsupport@maidar.com.au.

If you want to see more about the SOC service we offer, please follow this link https://maidar.com.au

To ask a question, go to our support portal.