Reading an email in Microsoft Outlook is causing your sensitive information to leak

A vulnerability, discovered by Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC). This vulnerability (CVE-2018–0950) could allow cybercriminals to steal sensitive information, including users’ Windows login credentials, by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction. [1]

How did it happen?

The case of Microsoft Outlook

Basics of OLE

Picture 1. Once inserted, there is a Write document that has embedded Paintbrush content (Source: Dormann, 2018)

Picture 2. Write Document (Source: Dormann, 2018)

Microsoft Outlook is an email client that comes with Microsoft Office. Outlook includes the ability to send rich text (RTF) email messages which can consist of OLE objects in them. [3]

Picture 3. RTF (Source: Dormann, 2018)

Microsoft outlook vulnerability

A remote attacker can exploit this vulnerability by sending an RTF email to a target victim, containing a remotely-hosted image file (OLE object), loading from the attacker-controlled SMB1 server. Because Microsoft Outlook automatically renders OLE content, it will initiate an automatic authentication with the cybercriminal’s controlled remote server over SMB protocol using single sign-on (SSO), handing over the victim’s username and NTLMv2 hashed version of the password, potentially allowing the attacker to gain access to the victim’s system.[1]

Picture 4. IP address, Domain name, Username, Hostname, SMB session key are leaked (Source: Dormann, 2018)

An SMB connection is being automatically negotiated. Because Outlook is previewing an email that is sent to it. In picture 4, IP address, Domain name, Username, Hostname, SMB session key are leaked. “A remote OLE object in a rich text email messages functions like a web bug on steroids!” [3]

Why would any Windows PC automatically hand over credentials to the cybercriminal’s SMB server?

Picture 5. SMB authentication mechanism (Source: thehackernews, 2018)

This is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.

Microsoft Outlook Behavior

Picture 6. The remote image is not loaded automatically (Source: Dormann, 2018)

It can be seen that the remote image is not loaded automatically, because if Outlook has allowed remote images to load automatically, it can leak the client system’s IP address and other metadata such as the time that an email is viewed. This restriction helps to protect against a web bug being used in email messages. However when we try the same sort of message, except in rich text format; and rather than a remote image file, it’s an OLE document that is loaded from a remote SMB server [3]

Picture 7. RTF text message (Source: Dormann, 2018)

Outlook blocks remote web content due to the privacy risk of web bugs; however, with a rich text email, the OLE object is loaded with no user interaction.

Solutions [2]

Apply and update

Block inbound and outbound SMB connections at your network border

Block NTLM Single Sign-on (SSO) authentication

Use strong passwords

  • Use a password manager to help generate complex random passwords. This strategy can help ensure the use of unique passwords across resources that you use, and it can ensure that the passwords are of sufficient complexity and randomness.
  • Use longer passphrases (with mixed-case letters, numbers and symbols) instead of passwords. This strategy can produce significant credentials that do not require additional software to store and retrieve.

References

[1] https://thehackernews.com/2018/04/outlook-smb-vulnerability.html

[2] https://www.kb.cert.org/vuls/id/974272

[3] https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html

  1. Server Message Block (SMB): The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. It can also carry transaction protocols for interprocess communication. Created by IBM in the 1980s, the SMB protocol has since spawned multiple variants or implementations, also known as dialects, to meet evolving network requirements over the years. For more details visit https://searchnetworking.techtarget.com/definition/Server-Message-Block-Protocol

Keepnet is an anti phishing solution and cybersecurity awareness training platform