Jump to content

Microsoft Security Advisory 3009008


anuseems

Recommended Posts

Microsoft Security Advisory 3009008

Vulnerability in SSL 3.0 Could Allow Information Disclosure

Published: October 14, 2014

Version: 1.0

On this page

General Information

Advisory Details

Affected Software

Advisory FAQ

Suggested Actions

Acknowledgments

Other Information

General Information

Executive Summary

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

The attacker must make several hundred HTTPS requests before the attack could be successful.

TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Recommendation. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

References

Identification

CVE Reference

CVE-2014-3566

Affected Software

This advisory discusses the following software.

Affected Software

Operating System

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows RT

Windows RT 8.1

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

Advisory FAQ

What is the scope of the advisory?

The purpose of this advisory is to notify customers that Microsoft is aware of detailed information describing a new method to exploit a vulnerability affecting SSL 3.0. This vulnerability is an information disclosure vulnerability.

How could an attacker exploit the vulnerability?

In a man-in-the-middle (MiTM) attack, an attacker could downgrade an encrypted TLS session forcing clients to use SSL 3.0 and then force the browser to execute malicious code. This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cypher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g. authentication cookies).

What might an attacker use this vulnerability to do?

An attacker who successfully exploited this vulnerability could decrypt portions of the encrypted traffic.

What causes the vulnerability?

The vulnerability is caused by a weakness in the CBC encryption algorithm used in SSL 3.0.

What is SSL?

Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security over the Internet. SSL encrypts the data transported over the network, using cryptography for privacy and a keyed message authentication code for message reliability.

What is TLS?

Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or on intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

Is TLS affected by this issue?

No. This issue is specific to SSL 3.0.

Is this an industry-wide issue?

Yes. The vulnerability resides in the design of the SSL 3.0 protocol and is not limited to Microsofts implementation.

Suggested Actions

Apply Workarounds

Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available.

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Group Policy

You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Turn Off Encryption Support Group Policy Object.

Open Group Policy Management.

Select the group policy object to modify, right click and select Edit.

In the Group Policy Management Editor, browse to the following setting:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page -> Turn Off Encryption Support

Double-click the Turn off Encryption Support setting to edit the setting.

Click Enabled.

In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".

Click OK.

Dn818467.note(en-us,Security.10).gifNote:

Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.

Dn818467.note(en-us,Security.10).gifNote:

Warning After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and dont support TLS 1.0, TLS 1.1, and TLS 1.2.

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer

You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Advanced Security settings in Internet Explorer.

To change the default protocol version to be used for HTTPS requests, perform the following steps:

On the Internet Explorer Tools menu, click Internet Options.

In the Internet Options dialog box, click the Advanced tab.

In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).

Click OK.

Exit and restart Internet Explorer.

Dn818467.note(en-us,Security.10).gifNote:

Warning After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and dont support TLS 1.0, TLS 1.1, and TLS 1.2.

https://technet.microsoft.com/en-us/library/security/3009008.aspx

Link to comment
Share on other sites


  • Replies 5
  • Views 2.7k
  • Created
  • Last Reply

ok, the steps are simple then

and SSL 2.0 should be disabled too ?

Very much, yes...

:o

ok, then the workaround is simple :P

disable SSL 2.0 and SSL 3.0 completely, and only leave enabled TLS 1.0, TLS 1.1 and TLS 1.2.

Link to comment
Share on other sites


ok, then the workaround is simple :P

disable SSL 2.0 and SSL 3.0 completely, and only leave enabled TLS 1.0, TLS 1.1 and TLS 1.2.

Do this in every browser you're running, in Thunderbird and Java if you use them...

If you are running a server the list gets bigger. Apache, Nginx and more - if you also maintain a mailserver.

:uhuh:

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...