Jan 29, 2024NewsroomVulnerability / NTML Security

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file.

The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said in an advisory released last month.

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

Put differently, the adversary would have to convince users to click a link, either embedded in a phishing email or sent via an instant message, and then deceive them into opening the file in question.

CVE-2023-35636 is rooted in the calendar-sharing function in the Outlook email application, wherein a malicious email message is created by inserting two headers “Content-Class” and “x-sharing-config-url” with crafted values in order to expose a victim’s NTLM hash during authentication.

Varonis security researcher Dolev Taler, who has been credited with discovering and reporting the bug, said NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.

“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” Taler said.

“Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.”

The disclosure comes as Check Point revealed a case of “forced authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening a rogue Microsoft Access file.

Microsoft, in October 2023, announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security owing to the fact that it does not support cryptographic methods and is susceptible to relay attacks.

Dec 18, 2023NewsroomEmail Security / Vulnerability

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction.

“An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News.

The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below –

• CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
• CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims’ accounts within Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently remediated by Redmond as part of May 2023 security updates.

“We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.

CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by the MapUrlToZone function that could be exploited by sending an email containing a malicious file or a URL to an Outlook client.

“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft noted in its advisory.

In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook’s reminder sound feature, can lead to a zero-click code execution on the victim machine.

CVE-2023-36710 impacts the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework that’s used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.

“Finally, we managed to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB.”

To mitigate the risks, it’s recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it also advised to either disable NTLM, or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.