When a Rich Text (RTF) email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This can leak private information including the user's password hash, which may be cracked by an attacker.
Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO). This may leak the user's IP address, domain name, user name, host name, and password hash. If the user's password is not complex enough, then an attacker may be able to crack the password in a short amount of time.
By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim's ip address, domain name, user name, host name, and password hash. This password hash may be cracked offline. This vulnerability may be combined with other vulnerabilities to modify the impact. For example, when combined with VU#867968, an attacker could cause a Windows system to blue-screen crash (BSOD) when a specially-crafted email is previewed with Microsoft Outlook.
Apply an update
This vulnerability is addressed in the Microsoft update for CVE-2018-0950. This update prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. Note that other techniques requiring additional user interaction will still function after this patch is installed. For example, if an email contains a UNC link, like \\attacker\foo, Outlook will automatically make this link clickable. If a user clicks such a link, the impact will be the same as with this vulnerability. For this reason, please also consider the following workarounds.
Block inbound and outbound SMB connections at your network border
This vulnerability was reported by Will Dormann of the CERT/CC.
|Date First Published:||2018-04-10|
|Date Last Updated:||2019-01-10 16:35 UTC|