Microsoft Lync Bugs Permit Cross-Site Scripting and Denial of Service Attacks
|
|
SecurityTracker Alert ID: 1030821 |
|
SecurityTracker URL: http://securitytracker.com/id/1030821
|
|
CVE Reference:
CVE-2014-4068, CVE-2014-4070, CVE-2014-4071
(Links to External Site)
|
Updated: Sep 24 2014
|
Original Entry Date: Sep 9 2014
|
Impact:
Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2010, 2013
|
Description:
Three vulnerabilities were reported in Microsoft Lync. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks.
A remote user can send a specially crafted call to trigger an exception handling error on the server and cause the target system to stop responding [CVE-2014-4068].
Peter Schraffl of Telecommunication Software GmbH reported this vulnerability.
The server does not properly filter HTML code from user-supplied input before displaying the input [CVE-2014-4070]. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Microsoft Lync software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Noam Rathaus (via Beyond Security's SecuriTeam Secure Disclosure team) reported this vulnerability.
A remote user can send a specially crafted request to trigger a null dereference and cause the target system to stop responding [CVE-2014-4071].
|
Impact:
A remote user can cause the target system to stop responding.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Microsoft Lync software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued the following fixes:
Microsoft Lync Server 2010 (Response Group Service):
http://www.microsoft.com/downloads/details.aspx?familyid=242b60fd-e25b-4ea3-9666-b9a4ea2e7dfd
Microsoft Lync Server 2013 (Server):
http://www.microsoft.com/downloads/details.aspx?familyid=ec851cbf-83eb-44d0-8325-56fc2d5e13fd
Microsoft Lync Server 2013 (Response Group Service):
http://www.microsoft.com/downloads/details.aspx?familyid=ec851cbf-83eb-44d0-8325-56fc2d5e13fd
Microsoft Lync Server 2013 (Core Components):
http://www.microsoft.com/downloads/details.aspx?familyid=ec851cbf-83eb-44d0-8325-56fc2d5e13fd
Microsoft Lync Server 2013 (Web Components Server):
http://www.microsoft.com/downloads/details.aspx?familyid=ec851cbf-83eb-44d0-8325-56fc2d5e13fd
[Editor's note: On September 16, 2014, the vendor updated their advisory to remove the fix for Microsoft Lync Server 2010 Server version because this version is not affected.]
[Editor's Note: On September 23, 2014, the vendor re-offered the 2982385 security update file (server.msp) for Microsoft Lync Server 2010. The vendor recommends that customers apply this update.]
A restart is not required.
The Microsoft advisory is available at:
https://technet.microsoft.com/library/security/ms14-055
|
Vendor URL: technet.microsoft.com/library/security/ms14-055 (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
