CVE-2017-11786 in Lync
Summary
by MITRE
Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/16/2021
The Skype for Business Elevation of Privilege Vulnerability identified as CVE-2017-11786 represents a critical security flaw in Microsoft Lync 2013 SP1 and Skype for Business 2016 implementations. This vulnerability stems from improper handling of authentication requests within the Skype for Business client software, creating an avenue for unauthorized privilege escalation. The flaw allows attackers to capture authentication hashes during legitimate authentication processes, which can then be reused across different systems and services within the compromised network environment. This type of vulnerability falls under the CWE-287 category of Improper Authentication, specifically addressing weak authentication mechanisms that enable credential theft and replay attacks. The vulnerability's impact is particularly severe as it directly undermines the fundamental security principle of authentication integrity.
The technical implementation of this vulnerability occurs when Skype for Business clients process authentication requests without adequately validating the authentication context or implementing proper session management controls. Attackers can exploit this weakness by intercepting authentication communications and extracting the hash values that are typically used for authentication purposes. These captured hashes can then be leveraged to authenticate against other systems that use the same authentication protocol, effectively allowing attackers to move laterally within the network without requiring additional credentials. The vulnerability specifically affects the authentication handling mechanisms within the Skype for Business client applications, where the software fails to properly enforce authentication boundaries and session integrity checks. This weakness creates a persistent threat vector that can be exploited repeatedly, as the captured authentication tokens remain valid for extended periods.
The operational impact of CVE-2017-11786 extends beyond simple privilege escalation to encompass significant network compromise potential. Once an attacker successfully captures authentication hashes, they can leverage these credentials to access sensitive corporate resources, including email systems, file servers, and database applications that rely on the same authentication infrastructure. The vulnerability's exploitation aligns with ATT&CK technique T1078.004 for Valid Accounts and T1566.001 for Phishing, as attackers can use the stolen credentials to establish persistent access to target systems. Organizations using Skype for Business 2013 SP1 and Skype for Business 2016 face elevated risk of data breaches, insider threat exploitation, and unauthorized access to confidential business communications. The lateral movement capability provided by this vulnerability makes it particularly dangerous in enterprise environments where multiple systems share common authentication domains and where users maintain elevated privileges.
Mitigation strategies for CVE-2017-11786 should prioritize immediate patch deployment through Microsoft's security updates, as the vulnerability has been addressed through official Microsoft security bulletins. Organizations should implement network monitoring solutions capable of detecting unusual authentication patterns and hash capture attempts, particularly focusing on authentication traffic between Skype for Business clients and backend servers. Additional protective measures include enabling strong authentication protocols such as multi-factor authentication and implementing network segmentation to limit the lateral movement potential of compromised credentials. Security teams should also consider disabling unnecessary Skype for Business functionality and implementing strict access controls for authentication-related services. The vulnerability demonstrates the importance of proper authentication protocol implementation and highlights the need for organizations to maintain up-to-date security patches across all enterprise applications, particularly those handling sensitive authentication data. Regular security assessments and penetration testing should be conducted to identify similar authentication weaknesses in other enterprise applications and systems.