Brian Jackson - Fotolia

New Microsoft Teams RCE vulnerability also wormable

In his GitHub post, researcher Oskars Vegeris discussed Microsoft classifying the vulnerability as 'Important' rather than 'Critical,' despite it being exploitable via RCE.

A new Microsoft Teams vulnerability was found to not only be capable of remote code execution, but also able to do so without requiring the victim to click a single link. After Microsoft categorized the vulnerability as "Important, Spoofing," the researcher who discovered it described the rating as "one of the lowest in-scope ratings possible."

The wormable vulnerability, which has been patched, was reported Aug. 31. Oskars Vegeris, a security engineer at live gaming B2B provider Evolution who discovered the vulnerability, said the flaw is executed when the recipient reads a new or edited message, which "looks completely normal to victim."

"That's it. There is no further interaction from the victim," Vegeris wrote in a post on his GitHub page Monday. "Now your company's internal network, personal documents, O365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited."

If the message is then automatically posted in other channels, "everybody gets exploited," which can include other organizations that are guests in the affected channel. Vegeris said the vulnerability requires only a single non-interactive HTML request to be exploited.

In the summary section of the original report sent to Microsoft, Vegeris describes the vulnerability as "A Remote Code Execution vulnerability has been identified in MS Teams desktop, which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com. A specifically crafted chat message can be sent to any Microsoft Teams member or channel, which will execute arbitrary code on victim PCs with NO USER INTERACTION."

When he received what he perceived as a low rating for a remote code execution (RCE) vulnerability, Vegeris attempted to explain his position to Microsoft Security Response Center. The original "Important, Spoofing" classification was ultimately unchanged.

"After receiving the 'Important, Spoofing' rating, I sent a list of bullet points -- what I considered the real impact as argumentation to MSRC employees. I was hoping maybe they [would] reconsider," Vegeris continued in his GitHub post. "The discussion was mostly without substance -- just reiterating the ratings. It took weeks for each response, every time me having to remind them about it. Sooo, after around 3 months it ended as-is: 'Important, Spoofing' and that the desktop client -- remote code execution -- is 'out of scope.' I mean, Microsoft can take the desktop app out of scope, which in my opinion is absurd, as it's promoted as the primary way to use Microsoft Teams, but how is any of this 'Important' and what the hell is 'Spoofing?'"

In a statement provided to media including SearchSecurity, a Microsoft spokesperson said, "We mitigated the issue with an update in October, which has automatically deployed and protected customers." In the same email as the statement, a spokesperson also added that, "No additional customer actions are necessary," and linked to a page explaining Microsoft's Security Update Severity Ratings System.

According to Microsoft, an "Important" vulnerability includes "common use scenarios where client is compromised with warnings or prompts, regardless of the prompt's provenance, quality or usability. Sequences of user actions that do not generate prompts or warnings are also covered." Meanwhile, the "Critical" category above it refers specifically to RCE vulnerabilities and wormables, which match Vegeris' description of the vulnerability.

Dig Deeper on Threats and vulnerabilities