Security researchers find wormable Zero-Click RCE vulnerability

[German]A security researcher has found a serious security vulnerability in Microsoft teams. This allows remote code execution (RCE) without user interaction (zero-click) on all platforms supported by teams. The vulnerability could be exploited by a worm to spread via a team network connection. Of particular interest is the classification by Microsoft.

German security researcher Kanthak has already drawn my attention this morning to the corresponding report by security researcher Oskars Vegeris, a security engineer at Evolution Gaming. Vegeris discovered the critical vulnerability in Microsoft teams and reported it to Microsoft on August 31, 2020. In October 2020 there was then a security update for teams. The whole thing is a 'jaw dropping' story. 

Displaying a message is enough

According to Vegeris it is enough for an attacker to attach a compromised message to another team member. It is enough for the recipient to display this message to execute an embedded code of the message. So this is a zero-click vulnerability that allows remote code execution (RCE). Without further interaction by the victim, the attacked company's internal network, personal documents, Office 365 documents/mail/notes, secret chats are fully compromised. The following gif shows the attack. 

no window redacted RCE 
(Source: GitHub)

The nasty side

Microsoft aggressively promotes Trustworthy by Design (see Security and Microsoft Teams) and boasts about privacy and security. Microsoft CEO Satya Nadella announced on October 27,  2020 during a telephone conversation with investors that Microsoft teams now have 115 million active users daily.

When the security researcher reported the vulnerability to Microsoft, it was classified as "important, spoofing" on September 30, 2020. This is one of the lowest possible classifications. When Vegeris once again called Microsoft's attention and pointed out the explosiveness of the vulnerability, Microsoft refused to discuss the implications in detail. This decision was made on November 19, 2020 and is final. Microsoft also writes that no CVE number will be assigned. "As for the CVE part, it is currently Microsoft policy not to issue CVEs for products that are automatically updated without user interaction," Microsoft stated on November 30, 2020. At least the vulnerabilities were fixed at the end of October 2020. Details can be found in the GitHub article by Vegeris.

Similar articles:
Fix for Microsoft Teams Performance Issues
Teams storage location for compliance records changed, bricks scripts
Microsoft 365: Teams and Outlook was down again (10/07/2020)
Zoom & Teams not GDPR compliant useable
MS-Teams on Windows Server: Keep an eye on your RAM
Microsoft Teams: Vulnerability allowed account takeover
Does Windows 10 VPN Bug-Fix Update cause Teams issues?
Office 365: List of IPs and URLs updated with Teams
Temporary restrictions for MS Teams, OneNote, Office365
Microsoft Teams down due to certificate failure (Feb. 3, 2020)
Microsoft Teams outage (01/23/2020)
Microsoft Teams and it's security
Microsoft Teams: Vulnerability allowed account takeover

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *