WinShock, KB2992611 (and V2), KB3011780, Critical Schannel Vulnerability CVE-2014-6321

21 Nov


This is the exploit surrounding the Microsoft Secure Channel (Schannel) security package in Windows.

The patches:

List of issues:

The result: TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive. You may also receive an error message that resembles the following in the System log in Event Viewer:

Log Name: System
Source: Schannel
Date: Date and time
Event ID: 36887
Task Category: None
Level: Error
Computer: ComputerName
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Microsoft’s workaround, which you can read in the KB article, involves deleting four Registry values, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256.

Then there’s all the reported SQL issues that this patch then caused as well as all the IIS issues etc.

Step forward now to MS14-068 18/11/14 and Microsoft Releases V2 of the above patches, re-releasing KB2992611 and adding also the new KB3011780.

KB3011780 should fix the Kerberos issue:

The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The ‘good’ news is that Windows update should look after most of this for you, you can always check the status of the updates using this simple VBScript:

FYI: The SSQLLabs site provides a nice test to check your sites.