WinShock, KB2992611 (and V2), KB3011780, Critical Schannel Vulnerability CVE-2014-6321

This is the exploit surrounding the Microsoft Secure Channel (Schannel) security package in Windows.

• MS14-066 11/11/14: Microsoft released KB2992611 which didn’t exactly fix everything, and in fact left some users in perhaps a worse situation.

The patches:

• Windows 7 x32
• Windows 7 x64
• Server 2008 R2 x64
• Windows 8 x32
• Windows 8 x64
• Windows 8.1 x32
• Windows 8.1 x64
• Server 2012
• Server 2012 R2

List of issues:

• http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
• http://www.infoworld.com/article/2849292/operating-systems/more-patch-problems-reported-with-the-ms14-066-kb-2992611-winshock-mess.html
• http://www.infoworld.com/article/2849357/microsoft-windows/microsoft-ms14-066kb-2992611-schannel-ms14-068kb-3011780-kb-3000850.html
• http://serverfault.com/questions/645449/weblogic-10-3-2-ldap-authentication-failure-after-domain-controller-patch-ms14-0
• https://social.technet.microsoft.com/Forums/windowsserver/en-US/218cf562-3dab-4d09-adcc-74f65d0f29f1/winshock-kb2992611-patch-breaks-iis?forum=winserversecurity

The result: TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive. You may also receive an error message that resembles the following in the System log in Event Viewer:

Log Name: System
Source: Schannel
Date: Date and time
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ComputerName
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Microsoft’s workaround, which you can read in the KB article, involves deleting four Registry values, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256.

Then there’s all the reported SQL issues that this patch then caused as well as all the IIS issues etc.

Step forward now to MS14-068 18/11/14 and Microsoft Releases V2 of the above patches, re-releasing KB2992611 and adding also the new KB3011780.

• Windows 7 x32
• Windows 7 x64
• Server 2008 R2 x64
• Windows 8 x32
• Windows 8 x64
• Windows 8.1 x32
• Windows 8.1 x64
• Server 2012
• Server 2012 R2

KB3011780 should fix the Kerberos issue:

The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The ‘good’ news is that Windows update should look after most of this for you, you can always check the status of the updates using this simple VBScript:

'Enter the hotfix number to check for: 
HotFixID = "2992611 or 3011780" 'ONLY the number, no letters here!   
'Enter the name of the computer to check: 
ComputerName = "."    'Replace the dot with a computer name, to connect to a remote computer 
 
 
status = CheckParticularHotfix(ComputerName, HotFixID) 
If status = true then 
    wscript.Echo "The hotfix with number " & HotFixID & " IS installed." 
Elseif status = false Then 
    wscript.Echo "The hotfix with number " & HotFixID & " is NOT installed." 
else  
    'Error 
    wscript.Echo "Error, unable to check for hotfix. Error is: " & status 
end if 
 
private Function CheckParticularHotfix(strPuter, strHotfixID) 
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  
    ' Version 1.0 
    ' Checks if a particular hotfix is installed or not.  
    ' This function has these 3 return options: 
    ' TRUE, FALSE,   
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  
    On error resume next 
    Set objWMIService = GetObject("winmgmts:" _ 
        & "{impersonationLevel=impersonate}!\\" & strPuter & "\root\cimv2") 
    if err.number <> 0 then 
        CheckParticularHotfix = "WMI could not connect to computer '" & strPuter & "'" 
        exit function 'No reason to continue 
    end if 
     
    strWMIforesp = "Select * from Win32_QuickFixEngineering where HotFixID = 'Q" & strHotfixID &_  
    "' OR HotFixID = 'KB" & strHotfixID & "'" 
    Set colQuickFixes = objWMIService.ExecQuery (strWMIforesp) 
    if err.number <> 0 Then    'if an error occurs 
        CheckParticularHotfix = "Unable to get WMI hotfix info" 
    else 'Error number 0 meaning no error occured  
        tal = colQuickFixes.count 
        if tal > 0 then 
            CheckParticularHotfix = True    'HF installed 
        else  
            CheckParticularHotfix = False    'HF not installed 
        end If 
    end if 
    Set colQuickFixes = Nothing 
     
    Err.Clear 
    On Error GoTo 0 
end function 

FYI: The SSQLLabs site provides a nice test to check your sites.

References:

• http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
• http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
• http://www.infoworld.com/article/2849292/operating-systems/more-patch-problems-reported-with-the-ms14-066-kb-2992611-winshock-mess.html
• http://www.infoworld.com/article/2849357/microsoft-windows/microsoft-ms14-066kb-2992611-schannel-ms14-068kb-3011780-kb-3000850.html
• http://serverfault.com/questions/645449/weblogic-10-3-2-ldap-authentication-failure-after-domain-controller-patch-ms14-0
• http://tritoneco.com/2014/11/19/microsofts-kb2992611-critical-ssl-tls-update-fiasco/