On the 11th November 2014, Microsoft revealed the existence of a critical vulnerability residing in all versions of their flagship operating system since Windows 95. The vulnerability lies within the Microsoft Secure Channel (SChannel) Security Support Provider (SSP) component, which allows the operating system to provide encrypted secure communications. This is particularly dangerous for Windows-based hosts that are exposing SSL/TLS services.

In concept, the flaw may allow an attacker to execute arbitrary code on a vulnerable server, and potentially take control of the machine. Whilst this attack has not been seen in the wild yet, and no public exploit code has been released so far, it’s possible – if not likely – that this will be the case in the near future. It’s time to get a head-start.

Could my organisation be vulnerable?

If your organisation uses systems with Windows operating systems, then it is highly likely that there are vulnerable machines on your network. Technically all versions from Windows 95 onwards are vulnerable until patched, which includes all currently supported versions. We strongly recommend resolving the issue as a matter of priority.

Currently this flaw is not being exploited in the wild. However, some proof-of-concept code has been seen already, and organisations should prepare for exploits to be made public in the near future.

How can we detect the issue?

Since we currently have very limited information as to how the vulnerability works, the best way to currently check for the presence of this flaw is to find out if the relevant MS14-066 patch has been applied or not.

The SureCloud platform has the capability to detect this missing patch via internal credentialed scans, available to those customers who have our internal on-demand scanning service. Look out for vulnerability 79127, namely “Vulnerability in Schannel Could Allow Remote Code Execution”. Before running your scan, ensure that your internal scanning appliance is configured to conduct credentialed/privileged scans. Please open a support ticket with us if you’re not sure.

What can we do to protect our organisation?

Apply the relevant patch from Microsoft: https://support.microsoft.com/kb/2992611

Public-facing servers should be the priority, although all machines should be patched.

Get in touch

Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.

References

https://technet.microsoft.com/library/security/MS14-066

https://support.microsoft.com/kb/2992611

https://www.bbc.co.uk/news/technology-30019976

Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.