CVE-2023-36786
📋 TL;DR
CVE-2023-36786 is a remote code execution vulnerability in Skype for Business that allows an attacker to execute arbitrary code on a target system by sending specially crafted messages. This affects organizations using Skype for Business Server and Skype for Business clients. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Skype for Business Server
- Skype for Business client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM/administrator privileges, enabling data theft, lateral movement, and persistent backdoor installation.
Likely Case
Attacker gains initial foothold on a Skype for Business server or client, then escalates privileges to access sensitive communications data and pivot to other systems.
If Mitigated
Attack contained to isolated Skype for Business service account with limited system access if proper network segmentation and least privilege are implemented.
🎯 Exploit Status
Microsoft has not disclosed technical details, but remote code execution vulnerabilities in communication software often have reliable exploitation paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest security updates from Microsoft's September 2023 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36786
Restart Required: Yes
Instructions:
1. Download and install the latest security updates for Skype for Business Server from Microsoft Update Catalog. 2. Apply updates to all Skype for Business clients. 3. Restart affected servers and clients as required.
🔧 Temporary Workarounds
Network segmentation
allIsolate Skype for Business servers from internet and restrict internal access to necessary users only
Disable unnecessary features
windowsDisable file transfer and other non-essential features in Skype for Business policies
Set-CsClientPolicy -Identity Global -DisableFileTransfer $true
🧯 If You Can't Patch
- Implement strict network access controls to limit Skype for Business traffic to trusted sources only
- Monitor for unusual Skype for Business activity and implement application allowlisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Skype for Business Server and client versions against Microsoft's security update guidance. Unpatched versions prior to September 2023 updates are vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Skype for Business*'} | Select-Object Name, VersionVerify Fix Applied:
Verify that September 2023 or later security updates are installed and Skype for Business services are running updated binaries.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Skype for Business executables
- Failed authentication attempts followed by successful connections
- Abnormal file transfer or message patterns
Network Indicators:
- Unusual outbound connections from Skype for Business servers
- Anomalous protocol usage in Skype for Business traffic
SIEM Query:
source="SkypeForBusiness" AND (event_id=4688 OR process_creation) AND (parent_process="lync.exe" OR parent_process="rtc.exe")