Thursday, 13 November 2014

Drop what you're doing and patch the Windows Schannel bugs now

It didn't take me long yesterday to realize that the stand-out vulnerability disclosed by Microsoft was MS14-066 "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)". I know you know it's rated critical, but this one is different. Drop everything and apply it. At the very least make sure that your IPS systems have updates to deal with it.
Microsoft's description of the vulnerability is terse, but ominous: "An attacker who successfully exploited this vulnerability could run arbitrary code on a target server. An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server." In other words, if I can send packets to the server, I can run my code on it in the context of Schannel. This is an extremely big and bad thing.
Schannel is the component of Windows that implements SSL/TLS. (This is, by the way, the reason they took this opportunity to add some new ciphers to the Windows TLS suite, as long as they were already updating schannel.dll.) It is the equivalent of significant parts of OpenSSL.
Speaking of OpenSSL (and BASH and other open source programs which have recently experienced major vulnerability disclosures), MS14-066 underscores a major difference in the way Microsoft does things. At the same time we learned about Heartbleed and Shellshock, we learned full details of the vulnerabilities and the full horror of their implications.
Not so with the Schannel bug (the vulnerability with no name yet). Unlike Bash and OpenSSL, patches don't include source code, and so far nobody is publishing details of the vulnerability, although there's reason to believe someone will. More about this below.
Is it just one vulnerability as Microsoft says? They use the singular in their bulletin and assign it just one CVE number (CVE-2014-6321). But a Cisco/Talos blog on yesterday's updates says "...there's actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses." Talos is basically Sourcefire, the IPS people, so they likely received information about the vulnerability from Microsoft through the MAPP program to help them to develop Snort/Sourcefire signatures for it. (Perhaps they aren't supposed to blab... make that 'blog' about it like this.)
But it just goes to show that we don't know much about the Schannel but other than that it has the potential to be catastrophic and as easy to exploit as Shellshock. Based on what Microsoft says, it might be possible for a remote, unauthenticated attacker to build a man-in-the-middle attack directly into Schannel. It's the zombie apocalypse.
Some more confusion over this bug: The Microsoft bulletin says that it was "privately reported," but a Microsoft SRD (Security Research and Defense) blog from yesterday says it "Internally found during a proactive security assessment." Add to that the line in the bulletin that says "Microsoft received information about this vulnerability through coordinated vulnerability disclosure" and the source of this vulnerability or vulnerabilities to Microsoft becomes utterly opaque.
The phrase "coordinated vulnerability disclosure" implies that someone else should be disclosing details of the vulnerability, usually whoever found it and disclosed it to Microsoft. I'm aware of no such disclosure, but once we do know more we will know just what mischief it/they makes possible.
In the meantime the only responsible thing to do is to assume the worst. Make sure there are signatures for your IPS to detect and block exploits of this vulnerability/these vulnerabilities. Apply the updates ASAP.