26 November 2014

Microsoft Schannel Remote Code Execution Vulnerability: CVE-2014-6321

You may have read recently about the Microsoft Schannel vulnerability (CVE-2014-6321), also called “WinShock”. This is a very serious bug in the Windows Schannel system, the system that deals with all SSL/TLS connections. However, as yet, there is no known working exploit code in the wild. Nevertheless, this is a big deal because it is only a matter of time before exploits are seen in the wild and when that happens there will be an explosion of servers being attacked worldwide. To give you an idea of the potential severity:

  • If exploited, the vulnerability allows remote code execution
  • Microsoft rates this as Critical, but has not identified any mitigating factors or workarounds
  • The vulnerability affects all Windows versions
  • Exploits can attack both clients and servers
  • Due to the vulnerability being within SSL/TLS, it is not possible for your Tesserent gateway to provide 100% protection

The fact that there is no currently known exploit code gives you a time window to patch your hosts. However, we strongly recommend that you patch all of your Windows machines as a matter of some urgency, because now that the patch is released attackers can reverse engineer the patch in order to better understand how to create an exploit. It is not uncommon, especially when a patch is rushed out like this, to see further patches released soon after. It would be a good idea to also watch out for any followup patches that may be required in the weeks to come. Further information regarding this vulnerability can be found here: https://technet.microsoft.com/en-us/library/security/ms14-066.aspx If you have any questions regarding the Microsoft vulnerability, please feel free to submit a ticket or call the SOC to discuss. Regards, Redscan Security Operations Centre

back to all posts