It has been a week since Microsoft has announced their November bulletins and we have seen quite a bit of movement around the Schannel bulletin MS14-066, which had immediately attracted the attention of the security community.
But first to Microsoft latest release – MS14-068. Last week this bulletin was held back due to some last minute testing needs. Now Microsoft releases it out-of-band because they have seen some limited exploitation of the vulnerability in the wild. MS14-068 is a patch for all Windows operating systems, even though it is only rated critical for the server version, i.e. Server 2003, 2008 and 2012. The vulnerability is in Kerberos and can be used to elevate the privileges of a normal domain user to domain administrator, which explains its critical ranking. Microsoft is providing more information in their SRD blog post.
But back to Schannel. Security researchers were immediately driven to this bulletin as it updates Microsoft’s SSL/TLS implementation fixing Remote Code Execution and Information Leakage that were found internally at Microsoft during a code audit. More information has not been made available, but in theory this sounds quite similar in scope to April’s Heartbleed problem in OpenSSL, which was widely publicized and had a number of documented abuse cases. But even if we discard all speculation, researchers have made significant headway in finding out more about the flaws addressed. Dave Aitel from Immunity tweeted first about their ability to induce a DoS condition on Windows servers that run SLL/TLS last Thursday (daveaitel on Twitter: "LSASS eip control via ms14-066 + preauth RDP achieved in lab. Will be in CANVAS Early Updates tom…) and then followed up with a video on full RCE attacking the Remote Desktop Protocol (RDP) service on Windows yesterday.
Similar to Immunity’s researchers and the team at BeyondTrust (Triggering MS14-066 | BeyondTrust) the dark side is certainly making progress in finding an exploit for these vulnerabilities. It is now high time to patch. Hopefully you have tested the application of the updates and are confident that none of the documented issues apply to your setups. The problems that have been documented so far are concentrating on dropped connections and performance and seem to be largely confined to the use of TLS 1.2 and the new ciphers introduced by the updates. The associated KB article and download has been updated to remove the offending ciphers and should not cause any more issues.
We will update this post when we get new information. In particular I wonder if RDP installations that have Network Level Authentication (NLA) enabled are susceptible to Immunity’s exploit code. NLA is the safer version for RDP and has neutralized RDP vulnerabilities before already, so maybe this is another reason to revisit that RDP setting.