Security Updates for Microsoft Skype for Business and Microsoft Lync (October 2017)

high Nessus Plugin ID 103753

Synopsis

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update.

Description

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

- An elevation of privilege vulnerability exists when Skype for Business fails to properly handle specific authentication requests. An authenticated attacker who successfully exploited this vulnerability could steal an authentication hash that can be reused elsewhere. The attacker could then take any action that the user had permissions for, causing possible outcomes that could vary between users. (CVE-2017-11786)

Solution

Microsoft has released the following security updates to address this issue:
-KB4011159
-KB4011179

See Also

http://www.nessus.org/u?9f9f0309

http://www.nessus.org/u?b6d55525

Plugin Details

Severity: High

ID: 103753

File Name: smb_nt_ms17_oct_skype.nasl

Version: 1.8

Type: local

Agent: windows

Published: 10/10/2017

Updated: 2/17/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-11786

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:skype_for_business, cpe:/a:microsoft:lync

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 10/10/2017

Vulnerability Publication Date: 10/10/2017

Reference Information

CVE: CVE-2017-11786

BID: 101156

IAVA: 2017-A-0291-S

MSFT: MS17-4011159, MS17-4011179

MSKB: 4011179