Varonis Threat Labs has uncovered a significant cybersecurity threat involving a new Outlook vulnerability (CVE-2023-35636) and three methods to access NTLM v2 hashed passwords. The vulnerability, affecting Microsoft Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer, exposes users to offline brute-force and authentication relay attacks. Despite Varonis notifying Microsoft and subsequent patches for WPA and Windows File Explorer, the Outlook exploit (CVE-2023-35636) remains a concern for unpatched systems.
CVE-2023-35636 exploits the calendar sharing function in Outlook, allowing threat actors to intercept NTLM v2 hashes by manipulating email headers. Attackers can leverage these hashes in offline brute-force attacks or authentication relays, posing a serious security risk. The disclosure led Microsoft to categorize the vulnerabilities as of “moderate severity” for WPA and Windows File Explorer, while the Outlook exploit received an “important” rating with a 6.5 severity level. Microsoft issued a patch for CVE-2023-35636 on December 12, 2023, emphasizing the urgency of system updates.
The outlined attack scenarios detail how threat actors can exploit Outlook’s calendar sharing feature, URI handlers, and Windows File Explorer to obtain NTLM v2 hashes. These attacks involve crafting malicious emails, utilizing URI handlers with WPA, and exploiting Windows File Explorer’s search functionality. The potential compromise of NTLM v2 hashes underscores the critical need for organizations and individuals to implement protective measures. While Microsoft’s patches address specific vulnerabilities, safeguarding against NTLM v2 attacks requires broader strategies such as implementing SMB signing, blocking outgoing NTLM v2, and prioritizing Kerberos authentication over NTLM v2 on both network and application levels.
