20 Nov Security Advisory – SOS-15-005 – Microsoft Skype for Business 2016 Unauthorised Script Execution Vulnerability
Release Date: 20-Nov-2015
Last Update: –
Vendor Notification Date: 30-Sep-2015
Product: Microsoft Skype for Business 2016 Server
Microsoft Skype for Business 2016 Clients
Microsoft Lync 2013 Server
Microsoft Lync 2013 Clients
Microsoft Lync 2010 Server
Microsoft Lync 2010 Clients
Microsoft Lync Room System
Affected versions: All versions
Severity Rating: High
Impact: Security bypass
Manipulation of data
Attack Vector: Remote with authentication
Remote without authentication through federations, meetings and SIP gateways connected
Solution Status: Vendor patch
CVE reference: CVE-2015-6061
The Microsoft Skype for Business (a.k.a Lync) product family provides corporate communications infrastructure, cloud services and clients for enterprise companies. It supports Instant Messaging (IM), SIP/SIPE and XMPP services for traditional calls, instant messaging, meetings and productive sharing such as file, desktop or presentation sharing. Current versions of these products are vulnerable to content manipulation, multiple Cross-Site Scripting (XSS) injections and URL filter bypass vulnerabilities.
The vulnerabilities below allow authenticated attackers to inject malicious content in the IM messages and SIP INVITE requests that are delivered through the MS Lync, Skype for Business or Office 365 platforms. They can be also be exploited through federated connections, meeting requests, SIP trunks and PSTN gateways without authentication. Malformed IM messages or SIP INVITE requests can be used to compromise multiple clients without user interaction. Exploitation vectors of these vulnerabilities depend on the corporate communication design and implementation. Clients of the federations connected, public meeting invitation requests, open meetings, bulk IM messages and SIP trust relationships can be used for mass compromise attacks.
Microsoft Skype for Business 2016 Server – IM URL filter bypass using content obfuscation
Please refer to the PDF version of this advisory for proof of concept code examples.
Install the security patches released by Microsoft and follow the instructions contained in the security advisory below.
Microsoft Security Bulletin MS15-123 – Important
Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure (3105872)
Fatih Ozavci from Sense of Security Labs.