CVE-2017-11786

Name of the Vulnerable Software and Affected Versions Skype for Business versions in Microsoft Lync 2013 SP1 and Skype for Business 2016

Description The issue is related to how Skype for Business handles authentication requests, allowing an attacker to steal an authentication hash that can be reused elsewhere. This is due to insufficient access restrictions in the software. An attacker can exploit this issue by using a specially crafted user profile to steal the authentication hash code, which can then be reused.

Recommendations For Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016, consider restricting access to authentication requests until a fix is available. As a temporary workaround, consider disabling the authentication request handling functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.