If you need another reason to apply the December 2023 Patch Tuesday cumulative update here’s one: it fixes a flaw in Microsoft Outlook that, if abused, could allow hackers to exfiltrate hashed passwords from the computer.
Cybersecurity researchers from Varonis recently discovered, and reported, on a bug found in the calendar sharing function in Outlook which could allow a threat actor to create a custom file and send it to the victim via an email invite.
“By “listening” to a selfcontrolled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempts packets that contain the hash used to attempt to access this resource,” the researchers explain.
Hiding the payment
They added that hackers can use many tools to perform this listening, including the Responder.py tool, which they describe as “the goto tool for every SMB and NTLM hash attack”.
The bug, tracked as CVE202335636, carries a severity score of 6.5.
Besides sending a malicious file via email, the attackers can also engage in webborne attacks, Microsoft further added:
“In a webbased attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts userprovided content) containing a specially crafted file designed to exploit the vulnerability.” In this example, the victim would have to be convinced to open a link, which isn’t that uncommon with phishing and spearphishing attacks. Hackers could distribute the link in an email and trick the victims into opening it.
“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” the report stated. “Usually, NTLM v2 should be used when attempting to authenticate against internal IPaddressbased services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline bruteforce attacks.”
Via The Hacker News