Attackers Can Steal NTLM Password Hashes via Calendar Invites


A patched vulnerability (CVE-2023-35636) in Microsoft Outlook, allowing theft of NTLM v2 hashes, can be exploited through specially crafted email headers. Security researcher Dolev Taler and Varonis Threat Labs disclosed two additional unpatched vulnerabilities of “moderate” severity for obtaining NTLM v2 hashes. These can lead to offline brute-force or authentication relay attacks, enabling unauthorized access to enterprise systems. Authentication relay attacks involve intercepting NTLM v2 authentication requests, forwarding them to a different server, and using the victim’s response to authenticate. The attacker can authenticate as the user and gain access to sensitive enterprise systems and resources. Microsoft has fixed CVE-2023-35636 but considers the others moderate. Varonis researchers provided proof-of-concept exploits for exploiting Microsoft Outlook, URI handlers with Windows Performance Analyzer, and Windows File Explorer, which are all three attack paths to grab NTLM v2 hashes.

Security Officer Comments:
NTLM v2 is the current iteration of the NTLM cryptographic protocol used by Microsoft Windows for user authentication to remote servers via password hashes. Compromised NTLM v2 password hashes pose a risk for authentication relay attacks or offline brute force attempts.

Suggested Corrections:
There are several ways to protect against NTLM v2 attacks:

  • SMB signing — SMB signing is a security feature that helps to protect SMB traffic from tampering and man-in-the-middle attacks. It works by digitally signing all SMB messages. This means that if an attacker tries to modify an SMB message, the recipient will be able to detect the change and reject the message.
  • SMB signing is turned on Windows Server 2022 and later by default, and on Windows 11 Enterprise edition (starting with the insider preview build 25381).
  • Block outgoing NTLM v2, starting with Windows 11 (25951). Microsoft added the option to block outgoing NTLM authentication.
  • Force Kerberos authentication whenever possible and block NTLM v2 on both the network and applicative levels.