Security Updates for Microsoft Skype for Business and Microsoft Lync (October 2017)

high Nessus Plugin ID 103753
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update.

Description

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

- An elevation of privilege vulnerability exists when Skype for Business fails to properly handle specific authentication requests. An authenticated attacker who successfully exploited this vulnerability could steal an authentication hash that can be reused elsewhere. The attacker could then take any action that the user had permissions for, causing possible outcomes that could vary between users. (CVE-2017-11786)

Solution

Microsoft has released the following security updates to address this issue:
-KB4011159
-KB4011179

See Also

http://www.nessus.org/u?9f9f0309

http://www.nessus.org/u?b6d55525

Plugin Details

Severity: High

ID: 103753

File Name: smb_nt_ms17_oct_skype.nasl

Version: 1.7

Type: local

Agent: windows

Published: 10/10/2017

Updated: 11/12/2019

Dependencies: office_installed.nasl, microsoft_lync_server_installed.nasl, smb_hotfixes.nasl, ms_bulletin_checks_possible.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS Score Source: CVE-2017-11786

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:skype_for_business, cpe:/a:microsoft:lync

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 10/10/2017

Vulnerability Publication Date: 10/10/2017

Reference Information

CVE: CVE-2017-11786

BID: 101156

MSKB: 4011179

MSFT: MS17-4011159, MS17-4011179

IAVA: 2017-A-0291