Fb-Button  - standard facebook ico - CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows PasswordsSecurity Affairs

An 18-month-old CVE-2018-0950 vulnerability in could be exploited by hackers to the Password.

Almost 18 months ago, the security researcher Will Dormann of the CERT Coordination Center (CERT/CC) has found a severe vulnerability in Microsoft Outlook (CVE-2018-0950), time is passed but Microsoft partially addressed it with the last Patch Tuesday updates.
The in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) an email is previewed and automatically initiates SMB connections.

The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook,
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading.” wrote Dormann.

The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.

The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the , the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.

“Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.” The following screenshot shows that IP address, domain name, Username, hostname, SMB session key are being leaked.

CVE-2018-0950  - Micorsoft Outlook flaw - CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows PasswordsSecurity Affairs

“Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO).” states the CERT. “This may leak the user’s IP address, domain name, user name, host name, and password . If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”

Microsoft Outlook automatically renders OLE content, this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.

Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed automatically SMB connections when it previews RTF emails, any other SMB attack is still feasible.

“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “\”, clicking the link initiates an SMB connection to the specified server.”

SMB-hack-outlook  - SMB hack outlook - CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows PasswordsSecurity Affairs

Summarizing, the installation of the Microsoft update for CVE-2018-0950 will not fully protect users from the exploitation of this issue.

Users are advised to apply the following mitigations:

  • Install the Microsoft update for CVE-2018-0950.
  • Block ports 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp used for SMB sessions.
  • Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
  • Always strong passwords.
  • Never  click on suspicious links embedded in emails.

Pierluigi Paganini

(Security Affairs – CVE-2018-0950, Microsoft Outook)






Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here