cnvd - cnvd-2018-15913

CNVD-2018-15913

Vulnerability from cnvd - Published: 2018-08-22

Title

Microsoft Lync和Skype for Business安全绕过漏洞

Description

Microsoft Lync 2013 SP1和Skype for Business 2016都是美国微软（Microsoft）公司产品。Microsoft Lync（前称Microsoft Office Communicator）2013 SP1是发布的新一代企业整合沟通平台。Skype for Business 2016是一套企业整合沟通平台。 Microsoft Lync 2013 SP1和Skype for Business 2016中存在安全绕过漏洞，该漏洞源于程序未正确的解析由消息共享的Skype路径链接。攻击者可通过诱使用户点击特制文件的链接利用该漏洞在登陆用户的上下文中执行任意命令。

Severity

中

Patch Name

Microsoft Lync和Skype for Business安全绕过漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-8238

Impacted products

Name
['Microsoft Lync 2013 SP1', 'Microsoft Skype for Business 2016']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104619"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-8238"
    }
  },
  "description": "Microsoft Lync 2013 SP1\u548cSkype for Business 2016\u90fd\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u4ea7\u54c1\u3002Microsoft Lync\uff08\u524d\u79f0Microsoft Office Communicator\uff092013 SP1\u662f\u53d1\u5e03\u7684\u65b0\u4e00\u4ee3\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\u3002Skype for Business 2016\u662f\u4e00\u5957\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\u3002\r\n\r\nMicrosoft Lync 2013 SP1\u548cSkype for Business 2016\u4e2d\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u7684\u89e3\u6790\u7531\u6d88\u606f\u5171\u4eab\u7684Skype\u8def\u5f84\u94fe\u63a5\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u70b9\u51fb\u7279\u5236\u6587\u4ef6\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u767b\u9646\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Steven Thompson",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-15913",
  "openTime": "2018-08-22",
  "patchDescription": "Microsoft Lync 2013 SP1\u548cSkype for Business 2016\u90fd\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u4ea7\u54c1\u3002Microsoft Lync\uff08\u524d\u79f0Microsoft Office Communicator\uff092013 SP1\u662f\u53d1\u5e03\u7684\u65b0\u4e00\u4ee3\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\u3002Skype for Business 2016\u662f\u4e00\u5957\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\u3002\r\n\r\nMicrosoft Lync 2013 SP1\u548cSkype for Business 2016\u4e2d\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u7684\u89e3\u6790\u7531\u6d88\u606f\u5171\u4eab\u7684Skype\u8def\u5f84\u94fe\u63a5\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u70b9\u51fb\u7279\u5236\u6587\u4ef6\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u767b\u9646\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Lync\u548cSkype for Business\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Lync 2013 SP1",
      "Microsoft Skype for Business 2016"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-8238",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-12",
  "title": "Microsoft Lync\u548cSkype for Business\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2018-8238 (GCVE-0-2018-8238)

Vulnerability from cvelistv5 – Published: 2018-07-11 00:00 – Updated: 2024-08-05 06:46

Summary

A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka "Skype for Business and Lync Security Feature Bypass Vulnerability." This affects Skype, Microsoft Lync.

Severity ?

No CVSS data available.

CWE

Security Feature Bypass

Assigner

microsoft

References

URL

Tags

	http://www.securityfocus.com/bid/104619	vdb-entryx_refsource_BID
	https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

Microsoft

Skype

Affected: Business 2016 (32-bit)
Affected: Business 2016 (64-bit)

Microsoft

Microsoft Lync

Affected: 2013 Service Pack 1 (32-bit)
Affected: 2013 Service Pack 1 (64-bit)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:46:13.830Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "104619",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104619"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Skype",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "Business 2016 (32-bit)"
            },
            {
              "status": "affected",
              "version": "Business 2016 (64-bit)"
            }
          ]
        },
        {
          "product": "Microsoft Lync",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "2013 Service Pack 1 (32-bit)"
            },
            {
              "status": "affected",
              "version": "2013 Service Pack 1 (64-bit)"
            }
          ]
        }
      ],
      "datePublic": "2018-07-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka \"Skype for Business and Lync Security Feature Bypass Vulnerability.\" This affects Skype, Microsoft Lync."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Security Feature Bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-11T09:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "104619",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104619"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2018-8238",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Skype",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Business 2016 (32-bit)"
                          },
                          {
                            "version_value": "Business 2016 (64-bit)"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Microsoft Lync",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2013 Service Pack 1 (32-bit)"
                          },
                          {
                            "version_value": "2013 Service Pack 1 (64-bit)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Microsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A security feature bypass vulnerability exists when Skype for Business or Lync do not properly parse UNC path links shared via messages, aka \"Skype for Business and Lync Security Feature Bypass Vulnerability.\" This affects Skype, Microsoft Lync."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Security Feature Bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "104619",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104619"
            },
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238",
              "refsource": "CONFIRM",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2018-8238",
    "datePublished": "2018-07-11T00:00:00",
    "dateReserved": "2018-03-14T00:00:00",
    "dateUpdated": "2024-08-05T06:46:13.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-15913

CVE-2018-8238 (GCVE-0-2018-8238)

Tags

Sightings

Nomenclature