Today, Microsoft has released a security update that resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows, which provides security protocol support for applications. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.
Note:
While only a single Common Vulnerabilities and Exposures (CVE) item is linked to this update (CVE-2014-6321), citing Qualys CTO Wolfgang Kandek this CVE covers multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses:
“The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit it is only a matter of time and resources, it is prudent to install this bulletin in your next patch cycle.”
This security update is rated Critical for all supported releases of Microsoft Windows.
The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets.
About the Secure Channel
The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement secure communications in support of several common internet and network applications, such as web browsing and Active Directory authentication. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server following the below architecture:
Additionally…
In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes changes to available TLS cipher suites. This update includes new TLS cipher suites that offer more robust encryption to protect customer information:
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
These new cipher suites all operate in Galois/Counter mode (GCM), and two of them (1. and 2.) offer Perfect Forward Secrecy (PFS) by using Diffie-Hellman Ephemeral (DHE) key exchange together with RSA authentication.
Note:
Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 have seen these new cipher suites added towards the top of the priority order in April with KB2929781 Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2.
Call to Action
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers, but exploitation of this vulnerability might prove interesting for malicious persons due to its impact.
Since no mitigating factors or workarounds are available, I urge you to install KB2992611 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all systems within your networking infrastructure, both workstations and servers.
Related Knowledgebase articles
2992611 MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014
2929781 Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2
Further reading
What is TLS/SSL?
Secure Channel
Microsoft Security Bulletin Summary for November 2014
Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities
CVE-2014-6321
Login