How to remediate – Skype Stack Version Detection

1. Introduction

Skype Stack Version Detection refers to a situation where information about the version and timestamp of a remote Skype installation can be obtained. This allows attackers to fingerprint targets, potentially identifying vulnerable systems for further exploitation. Affected systems are typically those running the Skype application on various operating systems. A successful query could provide an attacker with details useful in targeting specific versions with known weaknesses, impacting confidentiality through information disclosure.

2. Technical Explanation

The vulnerability occurs because Skype exposes a service that allows querying its stack version and timestamp when a connection is made to the remote port. An attacker can connect to this port to retrieve this information without authentication. There is no known CVE associated with this specific detection, but it indicates potential exposure of internal details. An example attack would involve an attacker scanning a network for open Skype ports and then querying them to identify systems running older, potentially vulnerable versions.

• Root cause: The service does not require authentication or authorization to provide stack version information.
• Exploit mechanism: An attacker connects to the Skype port and sends a request to query the stack version. This returns the version string and timestamp of the running Skype instance.
• Scope: Systems running any version of the Skype application are potentially affected, although older versions are more likely to be targeted due to known vulnerabilities.

3. Detection and Assessment

You can confirm a system is vulnerable by checking for an open Skype port and then querying it. A thorough method involves attempting to retrieve the stack version information directly.

• Quick checks: Use `netstat` or similar tools to check if port 6544 (default) is listening.
• Scanning: Nessus plugin ID 13978 can identify this issue, but results should be verified manually.
• Logs and evidence: Skype logs may show connection attempts on the relevant port, though these are unlikely to indicate malicious activity directly.

netstat -an | grep 6544

4. Solution / Remediation Steps

The primary solution is to disable the service if it’s not required. Filtering the port alone isn’t sufficient, as Skype can initiate outgoing connections.

4.1 Preparation

• Ensure you have a method to restart the Skype service if needed. A roll back plan is to restore the original configuration file and restart the service.
• Change windows should be planned during off-peak hours, with approval from relevant IT stakeholders.

4.2 Implementation

1. Step 1: Open the Skype application settings.
2. Step 2: Navigate to Advanced Settings (Tools > Options > Advanced).
3. Step 3: Disable the service that exposes stack version information if it is not needed. The exact setting name may vary depending on the Skype version.

4.3 Config or Code Example

Before

(Setting enabled - stack version information exposed)

After

(Setting disabled - stack version information not exposed)

4.4 Security Practices Relevant to This Vulnerability

Least privilege is relevant here, as disabling unnecessary services reduces the attack surface. Safe defaults would mean that potentially risky features are disabled by default.

• Practice 1: Least privilege – only enable necessary services and features to reduce potential exposure.
• Practice 2: Patch cadence – Regularly update Skype to benefit from security improvements and bug fixes.

4.5 Automation (Optional)

# No automation script available due to configuration differences between Skype versions. Manual disabling is recommended.

5. Verification / Validation

Confirm the fix by checking that the stack version information can no longer be obtained from the remote port. Perform a negative test to ensure the service is inaccessible.

• Post-fix check: Use `netstat` or similar tools to verify the Skype port is still listening, but attempt to query it and confirm no version information is returned.
• Re-test: Re-run the earlier detection method (port scan and query) to show that the stack version cannot be obtained.
• Monitoring: Monitor network traffic for unexpected connections on port 6544 as an example alert.

netstat -an | grep 6544; telnet  6544 (should not return version information)

6. Preventive Measures and Monitoring

Update security baselines to include disabling unnecessary Skype services. Implement checks in CI/CD pipelines to ensure secure configurations are deployed. Maintain a regular patch or configuration review cycle for Skype installations.

• Baselines: Update your network security baseline to reflect the recommendation of disabling unused Skype features.
• Asset and patch process: Review Skype configurations regularly as part of a wider asset management program.

7. Risks, Side Effects, and Roll Back

Disabling the service may affect certain Skype features if they rely on it. The roll back steps involve re-enabling the service in the Skype settings.

• Roll back: Step 1: Open Skype application settings. Step 2: Navigate to Advanced Settings. Step 3: Re-enable the disabled service and restart Skype.

8. References and Resources

• Vendor advisory or bulletin: Skype Support
• NVD or CVE entry: No specific CVE is associated with this detection.
• Product or platform documentation relevant to the fix: Skype Advanced Settings Help