Executive Summary

Summary
Title Microsoft Outlook retrieves remote OLE content without prompting
Informations
NameVU#974272First vendor Publication2018-04-10
VendorVU-CERTLast vendor Modification2018-04-10
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#974272

Microsoft Outlook retrieves remote OLE content without prompting

Original Release date: 10 Apr 2018 | Last revised: 10 Apr 2018

Overview

When a Rich Text (RTF) email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This can leak private information including the user's password hash, which may be cracked by an attacker.

Description

Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO). This may leak the user's IP address, domain name, user name, host name, and password hash. If the user's password is not complex enough, then an attacker may be able to crack the password in a short amount of time.

Impact

By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim's ip address, domain name, user name, host name, and password hash. This password hash may be cracked offline. This vulnerability may be combined with other vulnerabilities to modify the impact. For example, when combined with VU#867968, an attacker could cause a Windows system to blue-screen crash (BSOD) when a specially-crafted email is previewed with Microsoft Outlook.

Solution

Apply and update

This vulnerability is addressed in the Microsoft update for CVE-2018-0950. This update prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. Note that other techniques requiring additional user interaction will still function after this patch is installed. For example, if an email contains a UNC link, like \\attacker\foo, Outlook will automatically make this link clickable. If a user clicks such a link, the impact will be the same as with this vulnerability. For this reason, please also consider the following workarounds.

Block inbound and outbound SMB connections at your network border

This can be accomplished by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp.

Block NTLM Single Sign-on (SSO) authentication

Block NTLM Single Sign-on (SSO) authentication, as specified in Microsoft Security Advisory ADV170014. Starting with Windows 10 and Server 2016, if the EnterpriseAccountSSO registry value is created and set to 0, SSO authentication will be disabled for external and unspecified network resources. With this registry change, accessing SMB resources is still allowed, but external and unspecified SMB resources will require the user to enter credentials as opposed to automatically attempting to use the hash of the currently logged-on user.

Use complex passwords

Assume that at some point your client system will attempt to make an SMB connection to an attacker's server. For this reason, make sure that any Windows login has a sufficiently complex password so that it is resistant to cracking. The following two strategies can help achieve this goal:

  1. Use a password manager to help generate complex random passwords. This strategy can help ensure the use of unique passwords across resources that you use, and it can ensure that the passwords are of a sufficient complexity and randomness.
  2. Use longer passphrases (with mixed-case letters, numbers and symbols) instead of passwords. This strategy can produce memorable credentials that do not require additional software to store and retrieve.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected29 Nov 201606 Apr 2018
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.0AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal4.1E:F/RL:OF/RC:ND
Environmental4.1CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0950
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170014

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2018-0950
  • Date Public:10 Apr 2018
  • Date First Published:10 Apr 2018
  • Date Last Updated:10 Apr 2018
  • Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/974272

CWE : Common Weakness Enumeration

%idName
100 %CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application2
Application1
Application5

Snort® IPS/IDS

DateDescription
2018-05-15Microsoft Office Outlook 2003 OLE information disclosure attempt detected
RuleID : 46267 - Revision : 1 - Type : FILE-OTHER
2018-05-15Microsoft Office Outlook 2003 OLE information disclosure attempt detected
RuleID : 46266 - Revision : 1 - Type : FILE-OTHER

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2018-08-02 21:18:47
  • Multiple Updates
2018-04-10 21:18:55
  • First insertion