-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ SKYPE SECURITY BULLETIN SKY-CERT Bulletin title: Heap overflow in networking routine Bulletin ID: SKYPE-SB/2005-003 Bulletin status: FINAL Date of announcement: 2005-10-25 08:00:00 +0000 Date of last revision: 2005-10-27 15:06:11 +0000 Products affected: Skype client (all platforms) Vulnerability type: Heap overflow CVE references: CVE-2005-3267 Risk assessment: HIGH CVSS base score: 8.0 (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:A) Cross-references: None Table of contents: 1. Problem description and brief discussion 2. Impact and affected software 3. Solution or work-around 4. Special instructions and notes 5. Software download location 6. Authenticity verification 7. Common Vulnerability Scoring System (CVSS) assessment 8. Credits and additional information 9. Bulletin release history 10. Notices ________________________________________________________________________ 1. Problem description and brief discussion Description ----------- A security bug in the Skype user client, for all platforms, has been identified and fixed. Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine. Discussion ---------- An attacker who sends a stream of specifically-crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data. Since the attacker cannot control the address where the data is written, the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible. Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user. Skype has been able to induce Skype clients to crash, but has not been able to cause the client to execute specific instructions. This is tracked by Mitre CVE ID CVE-2005-3267. ________________________________________________________________________ 2. Impact and affected software Impact ------ An attacked Skype client may crash. Affected Software ----------------- The following Skype clients are vulnerable to this attack: Skype for Windows: All releases prior to and including 1.4.*.83 Skype for Mac OS X: All releases prior to and including 1.3.*.16 Skype for Linux: All releases prior to and including 1.2.*.17 Skype for Pocket PC: All releases prior to and including 1.1.*.6 ________________________________________________________________________ 3. Solution or work-around An official fix to the issue covered by this Security Bulletin has been released. To implement this fix, update to one of the following releases of Skype. (Downloading instructions are shown in Section 4 of this Bulletin.) Skype for Windows: Release 1.4.*.84 or later Skype for Mac OS X: Release 1.3.*.17 or later Skype for Linux: Release 1.2.*.18 or later Skype for Pocket PC: Release 1.1.*.20 or later ________________________________________________________________________ 4. Special instructions and notes None. ________________________________________________________________________ 5. Software download location The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download. We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin. x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/products/skype/windows/ x86 platform, Linux: http://www.skype.com/products/skype/linux/ PPC platform, Mac OS X v10.3 (Panther) or later: http://www.skype.com/products/skype/macosx/ Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/products/skype/pocketpc/ ________________________________________________________________________ 6. Authenticity verification - Bulletin authenticity verification: Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP. - Software authenticity verification: Both the Skype installer program and the Skype program that is installed by the installer are digitally signed. For Skype software built for Microsoft Windows operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA". For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/products/skype/linux/. - For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/. ________________________________________________________________________ 7. Common Vulnerability Assessment System (CVSS) assessment Skype has rated the issue covered by this Security Bulletin under the CVSS scheme as follows: Base metrics: Access Vector (AV) ........... Remote Access Complexity (AC) ....... High Authentication (Au) .....,.... Not Required Confidentiality Impact (C) ... Complete Integrity Impact (I) ......... Complete Availability Impact (A) ...... Complete Impact Bias (B) .............. Availability Computed CVSS base score: 8.0 Temporal metrics as of 2005-10-25 Exploitability (E) ........... Proof of Concept Remediation Level (RL) ....... Official Fix Report Confidence (RC) ....... Confirmed Computed CVSS temporal score: 6.3 Skype participates in the CVSS by rating each identifiable security vulnerability against the CVSS base metrics. In addition, Skype may rate each vulnerability against temporal metrics from time to time. As suggested by the name, temporal metrics for a particular vulnerability may change from time to time. More information about the CVSS may be obtained from the CVSS host website at http://www.first.org/cvss/. ________________________________________________________________________ 8. Credits and additional information This bug was simultaneously referred to SKY-CERT by two independent sources, one internal to Skype and one external. We would like to thank and acknowledge the external referrer, the EADS Corporate Research Center security lab, for having referred this issue to Skype. ________________________________________________________________________ 9. Bulletin release history 2005-10-25 Initial bulletin release 2005-10-25 Corrected credit information at the request of Imad Lahoud of the EADS Corporate Research Center 2005-10-27 Updated to reflect release of updated software for Skype for PocketPC ________________________________________________________________________ 10. Notices Copyright 2005 Skype Technologies, S.A. All rights reserved. This Skype Security Bulletin may be reproduced and distributed, provided that the Bulletin is not modified in any way and is attributed to Skype Technologies, S.A. and provided that repro- duction and distribution is performed for non-commercial purposes. This Skype Security Bulltin is provided to you on an "AS IS" basis and may contain information provided by third parties. Skype makes no guarantees or warranties as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. ======================================================================== To report a security issue to Skype, please send an e-mail that describes the problem or vulnerability to . Please consider securing any reports that disclose security vulnerabilities by encrypting them using the PGP key of the Skype Computer Emergency Response Team (SKY-CERT), PGP key ID 0x019DBB43. ======================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.2 (Build 2424) iQA/AwUBQ2Ds4uQJFIMBnbtDEQLk4wCfaeHEDstXOlWcXZEz+H+XDTQ/aI4AoM93 ZBtm6FryuExR0EYdiBKVKjI/ =SRGd -----END PGP SIGNATURE-----