SChannel Update and Experimental Vulnerability Scanner (MS14-066)
Just a quick update on the SChannel problem (MS14-066, CVE-2014-6321). So far, there is still no public available exploit for the vulnerability, and details are still sparse. But apparently, there is some progress in developing a working exploit. For example, this tweet by Dave Aitel :
Overall: Keep patching, but I hope your weekend will not be disrupted by a major new exploit being released.
Emerging Threats also released some public/free snort rules that promise to cover the various vulnerabilities patched by MS14-066. (http://emergingthreats.net/daily-ruleset-update-summary-11132014/)
I also got a VERY experimental scanner that may be helpful scanning for unpatched hosts. This scanner does not scan for the vulnerability. Instead, it scans for support for the 4 new ciphers that were added with MS14-066. Maybe someone finds it helpful. Let me know if it works. It is a bash script and uses openssl on Unix. You will need at least openssl version 1.0.1h (and you need to connect directly to the test server, not a proxy).
See: https://isc.sans.edu/diaryimages/MSFT1466test.sh (sig: MSFT1466test.sh.asc)
feedback welcome.
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Have a feeling the GCM ciphers only appear for TLSv1.2, which may or may not be enabled, depending on other aspects of the server config.
Also, the MS14-066 advisory mentions adding 4 GCM ciphers, whereas one of your 4 doesn't look to be GCM, so I'm not sure how it fits in.
Chris
Anonymous
Nov 14th 2014
9 years ago
Anonymous
Nov 14th 2014
9 years ago
If anybody knows of a free set of signatures, I'd like to get my hands on them.
Anonymous
Nov 14th 2014
9 years ago
http://pastebin.com/bsgX01dU
https://gist.github.com/hmoore-r7/3379af8b0419ddb0c76b
In one case, the author threatens to anonymously publish the exploit code if Microsoft does not change the exploitability assessment to 0- Exploitation Detected by the end of Friday, 11/14/14.
"Microsoft has until the end of day Friday the 14th to change MS14-066 Exploit-ability Assessment to "0- Exploitation Detected". If they do not, I will anonymously distribute "The Exploit"."
Anonymous
Nov 14th 2014
9 years ago
Anonymous
Nov 14th 2014
9 years ago
MS14-066 - Critical
- https://technet.microsoft.com/library/security/ms14-066
- Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information.
- Originally posted: November 11, 2014
- Updated: November 18, 2014
- Bulletin Severity Rating: Critical
- Version: 2.0
Anonymous
Nov 18th 2014
9 years ago