This is the exploit surrounding the Microsoft Secure Channel (Schannel) security package in Windows.
- MS14-066 11/11/14: Microsoft released KB2992611 which didn’t exactly fix everything, and in fact left some users in perhaps a worse situation.
The patches:
- Windows 7 x32
- Windows 7 x64
- Server 2008 R2 x64
- Windows 8 x32
- Windows 8 x64
- Windows 8.1 x32
- Windows 8.1 x64
- Server 2012
- Server 2012 R2
List of issues:
- http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
- http://www.infoworld.com/article/2849292/operating-systems/more-patch-problems-reported-with-the-ms14-066-kb-2992611-winshock-mess.html
- http://www.infoworld.com/article/2849357/microsoft-windows/microsoft-ms14-066kb-2992611-schannel-ms14-068kb-3011780-kb-3000850.html
- http://serverfault.com/questions/645449/weblogic-10-3-2-ldap-authentication-failure-after-domain-controller-patch-ms14-0
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/218cf562-3dab-4d09-adcc-74f65d0f29f1/winshock-kb2992611-patch-breaks-iis?forum=winserversecurity
The result: TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive. You may also receive an error message that resembles the following in the System log in Event Viewer:
Log Name: System
Source: Schannel
Date: Date and time
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ComputerName
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
Microsoft’s workaround, which you can read in the KB article, involves deleting four Registry values, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256.
Then there’s all the reported SQL issues that this patch then caused as well as all the IIS issues etc.
Step forward now to MS14-068 18/11/14 and Microsoft Releases V2 of the above patches, re-releasing KB2992611 and adding also the new KB3011780.
- Windows 7 x32
- Windows 7 x64
- Server 2008 R2 x64
- Windows 8 x32
- Windows 8 x64
- Windows 8.1 x32
- Windows 8.1 x64
- Server 2012
- Server 2012 R2
KB3011780 should fix the Kerberos issue:
The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
The ‘good’ news is that Windows update should look after most of this for you, you can always check the status of the updates using this simple VBScript:
'Enter the hotfix number to check for: HotFixID = "2992611 or 3011780" 'ONLY the number, no letters here! 'Enter the name of the computer to check: ComputerName = "." 'Replace the dot with a computer name, to connect to a remote computer status = CheckParticularHotfix(ComputerName, HotFixID) If status = true then wscript.Echo "The hotfix with number " & HotFixID & " IS installed." Elseif status = false Then wscript.Echo "The hotfix with number " & HotFixID & " is NOT installed." else 'Error wscript.Echo "Error, unable to check for hotfix. Error is: " & status end if private Function CheckParticularHotfix(strPuter, strHotfixID) '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Version 1.0 ' Checks if a particular hotfix is installed or not. ' This function has these 3 return options: ' TRUE, FALSE, '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' On error resume next Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strPuter & "\root\cimv2") if err.number <> 0 then CheckParticularHotfix = "WMI could not connect to computer '" & strPuter & "'" exit function 'No reason to continue end if strWMIforesp = "Select * from Win32_QuickFixEngineering where HotFixID = 'Q" & strHotfixID &_ "' OR HotFixID = 'KB" & strHotfixID & "'" Set colQuickFixes = objWMIService.ExecQuery (strWMIforesp) if err.number <> 0 Then 'if an error occurs CheckParticularHotfix = "Unable to get WMI hotfix info" else 'Error number 0 meaning no error occured tal = colQuickFixes.count if tal > 0 then CheckParticularHotfix = True 'HF installed else CheckParticularHotfix = False 'HF not installed end If end if Set colQuickFixes = Nothing Err.Clear On Error GoTo 0 end function
FYI: The SSQLLabs site provides a nice test to check your sites.
References:
- http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
- http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
- http://www.infoworld.com/article/2849292/operating-systems/more-patch-problems-reported-with-the-ms14-066-kb-2992611-winshock-mess.html
- http://www.infoworld.com/article/2849357/microsoft-windows/microsoft-ms14-066kb-2992611-schannel-ms14-068kb-3011780-kb-3000850.html
- http://serverfault.com/questions/645449/weblogic-10-3-2-ldap-authentication-failure-after-domain-controller-patch-ms14-0
- http://tritoneco.com/2014/11/19/microsofts-kb2992611-critical-ssl-tls-update-fiasco/