Last week, Microsoft released 14 security bulletins as part of Patch Tuesday for November 2014. The updates contained four rated as critical, but one has been receiving the most of attention: A vulnerability that affects Windows Secure Channel (SChannel) security package in Windows.
While Microsoft released the update (MS14-066) to address the Schannel Remote Code Execution Vulnerability (CVE-2014-6321), the software giant has reported that some users who have applied the patch are having issues, including a fatal TLS error.
“We are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail,” Microsoft noted in a knowledge base article. “When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive.”
Microsoft warned that some users may receive an error message that resembles the following in the System log in Event Viewer:
Log Name: System
Source: Schannel
Date: Date and time
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ComputerName
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
Fortunately, Microsoft provided a work around for the issue, which involves deleting certain cipher entries in the registry, but warned that serious problems might occur if users modify the registry incorrectly.
Microsoft did not pull the patch, which it has done previously with botched updates, and has not suggested that users avoid applying the patch.
The Microsoft Schannel Remote Code Execution Vulnerability, which some have referred to as “WinShock”, allows attacker to run arbitrary code on a target system by sending specially crafted packets to a Windows Server or workstation (client) that is running an affected version of Schannel.
What is SChannel and What Does it Do?
Secure Channel contains a set of security protocols that provide encrypted identity authentication and secure communication. The package is used by software using built-in SSL and TLS, including IIS, Active Directory, OWA, Exchange, Internet Explorer, and Windows Update.
While Microsoft indicated that there are no known exploits in the wild and the development of exploit code will be challenging, the flaw is reported to affect all Windows servers and clients and should be patched as soon a possible.
Microsoft’s security patches are habitually reverse-engineered by attackers to develop exploits, which can often happen in a matter of days. US-CERT pointed out that on Friday, Nov. 14, an anonymous user threatened to publish an exploit in a post to Pastebin.
“Based on the fact that this vulnerability has been discovered in all versions of SChannel going back to Windows 95, it will most likely be the first true “forever-day” vulnerability for Windows NT, Windows 2000, and Windows X,” said Joe Barrett, a Senior Security Consultant with Foreground Security. “As Microsoft has ceased all support and publicly stated they will no longer release security patches, enterprises who still have Windows 2000 and Windows XP machines will find themselves in the uncomfortable situation of having an exploitable-but-unpatchable system on their network.”
“Security researchers and blackhats alike are most likely racing to get the first workable exploit against this vulnerability, and the bad guys will begin immediately using it to compromise as much as they can,” Barrett said. “As a result, enterprises need to immediately deploy the patch to every system they can and also begin isolating and removing the unpatchable systems to prevent serious compromise of their networks.”
“While having unpatched assets over the next day or so is unlikely to result in immediate compromise due to the reported complexity of the exploit, it is not worth the risk,” Josh Feinblum, Vice President of Information Security at Rapid7, noted in a Nov. 12 blog post.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tightlipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated,” said Gavin Millard, technical director, EMEA at Tenable Network Security. “It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.”
Is “WinShock” as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them,” Millard said.
“Reliable exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems,” Craig Young, security researcher at Tripwire, told SecurityWeek. “Heartbleed was less powerful because it was ‘just’ an information disclosure bug and Shellshock was remotely exploitable only in a subset of affected systems.”
“Similar to the well-documented Heartbleed exploit, this is yet another example of a latent vulnerability that could have far-reaching effects,” said JD Sherry, vice president, technology and solutions, Trend Micro. “When news like this breaks, cyber criminals go into hyperdrive developing attacks to take advantage of the flaw. As such, it’s important to quickly respond to avoid system disruption and compromise.
“Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky,” Young said. “Hopefully, this will give admins enough time to patch their systems before we see exploits.”