Unpatched Vulnerabilities in Microsoft Teams Software

INTRODUCTION

 Recently, Security researchers have discovered four separate vulnerabilities in Microsoft Teams that might be exploited by an attacker to spoof link previews, leak IP addresses, and even access the software giant’s internal services.

The disclosure comes from Berlin-based cybersecurity firm Positive Security, In which they observed that implementation of the hyperlink preview function became vulnerable to several problems which can allow access to internal Microsoft services, spoof the link preview, leaking the IP addresses for the android users ,and Denial-of-Service (DoS) of the Teams app/channels.

Of the four vulnerabilities, Microsoft has addressed the most impactful one that results in IP address leakage from Android devices, and it is also claiming that the fix for the denial-of-service (DoS) flaw will be considered in the future version of the product. The issues were responsibly disclosed to the company on March 10, 2021.

 

MAIN CONCERN

 During the investigation, the researchers observed that they could bypass the Same-Origin Policy (SOP) in Teams by abusing the link preview feature in Microsoft’s video conferencing software, allowing the client to generate a link preview for the target web page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.

Following are all vulnerabilities that are discovered in Microsoft Teams:-

1) SSRF

The first discovered major flaw is a Server-Side Request Forgery (SSRF) vulnerability in the endpoint “/urlp/v1/url/info” that could be exploited to extract information from Microsoft’s local network.

2) Spoofing

The second discovered flaw is a spoofing vulnerability wherein the preview link target can be altered to point to any malicious URL while keeping the main link, preview image, and description intact, permitting attackers to hide malicious links and stage improved phishing attacks.

3) Denial of Service aka Message of Death (Android)

 The third discovered flaw is the DoS vulnerability, which affects the Android version of Teams, could cause the app to crash simply by sending a message with a specially crafted link preview containing an invalid target instead of a legitimate URL.

4) IP Address Leak (Android)

The last issue of concern is IP address leak, which also affects the Android app. By intercepting messages that include a link preview to point the thumbnail URL to a non-Microsoft domain. So, it’s possible to gain access to a user’s IP address and user agent data.

 

OUR RECOMMENDATIONS

 

  • The patch for only the android application of Teams has been released by the Microsoft. So, users are recommended to update to that particular latest version (1416/1.0.0.2021194504) released by the Microsoft.

 

  • Now that Vulnerabilities have been publicly disclosed, Microsoft will release the patch for the same.

 

  • Alternatively, users can use other video conferencing applications till Microsoft releases a patched version for the remaining three vulnerabilities of Microsoft Teams.

 

  • For mitigating spoofing and phishing attacks, users must first check the URL that they are going to visit, whether it uses HTTPS Protocol or not. And users must not visit any unsecured URLs.