#auth

**According to the CVSS metric, the attack vector is network (AV:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution?** The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attacker needs to be authenticated as a normal user.

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

**What can cause this vulnerability?** The vulnerability occurs due to improper validation of cmdlet arguments. **Does the attacker need to be in an authenticated role in the Exchange Server?** Yes, the attacker must be authenticated.

**How could an attacker exploit this vulnerability?** An attacker could exploit this path traversal vulnerability by leveraging the OcsPowershell endpoint within Skype for Business Server 2019 CU7 Hotfix 2 and Skype for Business Server 2015 CU13 Hotfix 1. Exploitation of this vulnerability requires the authenticated remote user be granted either the CsVoiceAdministrator or CsServerAdministrator role in order to create arbitrary files on the server. This exploit would allow the attacker to execute arbitrary code on the server.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could execute code in the security context of the “NT AUTHORITY\\Network Service” account.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** An attacker could exploit the vulnerability by tricking an authenticated user (CVSS metric UI:R) into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges.

**According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?** An authenticated victim who is connected to the network must be tricked or persuaded to connect to a malicious SQL database using their SQL client application. After the connection is made, the server can send specially crafted replies to the client that exploit the vulnerability and permit execution of arbitrary code within the context of the user's SQL client application.

**How could an attacker exploit this vulnerability?** Successful exploitation of this vulnerability could allow an authenticated domain user to remotely execute code on the target server. The attacker needs to convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could create or delete files in the security context of the “NT AUTHORITY\\ LOCAL SERVICE” account.