#VU8757 Privilege escalation in Skype for Business - CVE-2017-11786

Cybersecurity Help s.r.o.

Published: 2017-10-10 | Updated: 2017-10-10

Vulnerability identifier: #VU8757

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-11786

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Skype for Business
Client/Desktop applications / Messaging software

Vendor: Microsoft

Description
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to when Skype for Business fails to properly handle specific authentication requests. A remote attacker can invite a user to an instant message session while using a malicious profile image, steal an authentication has and gain system privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Skype for Business: 2016

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Privilege escalation in Microsoft Skype

Privilege escalation in Microsoft Lync