What is the security weakness discovered in Microsoft Outlook?

A security weakness was discovered in Microsoft Outlook that allows the leaking of encrypted passwords through malicious calendar invitation email messages. This vulnerability can be exploited with minimal user interaction, requiring as little as one or two clicks.

How is the Outlook vulnerability exploited?

The Outlook vulnerability, tracked as CVE-2023-35636, can be exploited during the calendar sharing process. It occurs when opening an iCalendar (.ics) file, where malicious email headers can trick Outlook into connecting to an attacker's system, leading to the exposure of NTLM v2 hashed passwords.

Has the Outlook vulnerability CVE-2023-35636 been patched?

Yes, the specific flaw in Outlook, tracked as CVE-2023-35636 with a CVSS score of 6.5, was patched on December 12 with a software update.

What can attackers do with the leaked hashed passwords from Outlook?

Attackers can employ common tools for penetration testing to intercept the packet containing the victim’s hashed password. The stolen hash can then be used in offline brute-force attacks or authentication relay attacks to gain unauthorized access.

Advisory

MS Outlook could leak password via calendar invites, patch it!

published: Jan. 19, 2024

Take action: A calendar invite is a commonly used tool. Since it's now weaponized to leak hashes of passwords, it's time to patch your Microsoft Outlook to the latest available version. Naturally, having MFA helps massively, since even if you leak your password, it can't be abused without the second factor. As a final option, if you can't patch you can use another program instead of Microsoft Outlook.

Learn More

A security weakness in Microsoft Outlook that allows the leaking of encrypted passwords through malicious calendar invitations email messages. The vulnerability in Outlook can be exploited with minimal user interaction, as little as one or two clicks, according to Varonis researchers who first informed Microsoft in July 2023.

The specific flaw in Outlook, tracked as CVE-2023-35636 (CVSS score 6.5), was patched on December 12 with a software update.

On Thursday, Varonis shared the technical aspects of these exploits, purposely after allowing time for users to implement the December patch.

The Outlook flaw, CVE-2023-35636, poses a risk by leaking encrypted passwords during the calendar sharing process. This can occur when opening an iCalendar (.ics) file, which is commonly used for sharing and adding events across different calendar applications. For example, when an Outlook user accepts a Google Calendar invitation, Outlook retrieves the event details from the .ics file to add to its calendar.

This vulnerability allows for the leakage of NTLM v2 hashed passwords through malicious email headers that trick Outlook into connecting to the attacker's system. The attacker must include a header indicating a "sharing" content-class and another header with an "x-sharing-config-url" that links to an .ics file on their machine. If an Outlook user clicks the calendar invite, their hashed password is exposed as Outlook attempts to authenticate on the attacker's machine.

Attackers can employ common tools for penetration testing to intercept the packet that contains the victim’s hashed password. The stolen hash can be used in offline brute-force attacks or authentication relay attacks to gain unauthorized access.