[ALERT] ADVISORY ON ZERO-CLICK 'WORMABLE' RCE FLAW UNCOVERED IN MICROSOFT TEAMS

BACKGROUND

A Remote Code Execution vulnerability has been identified in MS Teams desktop app which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com. A specifically crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on a victim PC's with NO USER INTERACTION.

Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victims' devices and company internal networks via those devices.

Even without arbitrary code execution on a victim device, with the demonstrated XSS it's possible for an attacker to obtain SSO authorisation tokens for Microsoft Teams and other Microsoft Services (e.g. Skype, Outlook, Office365). Furthermore, the XSS vulnerability by itself allows access to confidential / private conversations, files, etc. from within MS Teams.

 

IMPACT

  • The exploit payload can be spread across other users, channels and companies without any interaction or indications of compromise
  • Gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft 365
  • Complete loss of confidentiality and integrity for victims, access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

AFFECTED VERSION

  • Microsoft Teams (teams.microsoft.com) - Cross-Site Scripting
  • Microsoft Teams macOS v 1.3.00.23764 (latest as of 2020-08-31
  • Microsoft Teams Windows v 1.3.00.21759 (latest as of 2020-08-31)
  • Microsoft Teams Linux v 1.3.00.16851 (latest as of 2020-08-31)

RECOMMENDATIONS

  • Always update your operating system to the latest version
  • Apply appropriate patches and updates immediately
  • Use anti-virus software
  • Enable multi-factor authentication for Office 365
  • Use strong passwords and make sure to use different passwords for different accounts
  • Practice password protection or encryption to secure confidential data