Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes

From varonis.com

TL;DR

Varonis Threat Labs discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer. With access to these passwords, attackers can attempt an offline brute-force attack or an authentication relay attack to compromise an account and gain access.

Varonis Threat Labs’ mission is to discover new ways data can be exposed and help build security solutions to detect and stop threats. We disclosed each of these vulnerabilities and exploits to Microsoft in July 2023. Microsoft has since closed out the vulnerabilities for WPA and Windows File Explorer as “moderate severity” and categorized the exploit for Outlook as an “important” CVE-2023-35636, rated 6.5. Microsoft issued a patch for this CVE on December 12, 2023.

Unpatched systems remain vulnerable to threat actors attempting to steal hashed passwords using the methods below.

Read more…