Microsoft Skype for Business Privilege Escalation Vulnerability - 20231011003¶
Overview¶
The WA SOC has observed a vulnerability whereby an attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).In some cases, the exposed sensitive information could provide access to internal networks.
What is the vulnerability?¶
CVE-2023-41763 - CVSS v3 Base Score: 5.3
What is vulnerable?¶
The vulnerability affects the following Microsoft products:
- Skype for Business Server 2015 CU13 before 6.0.9319.869
- Skype for Business Server 2019 CU7 before 7.0.246.530
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer Patch Management):