anuseems Posted October 15, 2014 Share Posted October 15, 2014 Microsoft Security Advisory 3009008Vulnerability in SSL 3.0 Could Allow Information DisclosurePublished: October 14, 2014Version: 1.0On this page General Information Advisory Details Affected Software Advisory FAQ Suggested Actions Acknowledgments Other InformationGeneral InformationExecutive SummaryMicrosoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.Mitigating Factors: The attacker must make several hundred HTTPS requests before the attack could be successful. TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.Recommendation. Please see the Suggested Actions section of this advisory for more information.Advisory DetailsIssue ReferencesFor more information about this issue, see the following references:ReferencesIdentificationCVE ReferenceCVE-2014-3566 Affected SoftwareThis advisory discusses the following software.Affected SoftwareOperating SystemWindows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista Service Pack 2Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems Service Pack 2Windows 7 for 32-bit Systems Service Pack 1Windows 7 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Windows 8 for 32-bit SystemsWindows 8 for x64-based SystemsWindows 8.1 for 32-bit SystemsWindows 8.1 for x64-based SystemsWindows Server 2012Windows Server 2012 R2Windows RTWindows RT 8.1Server Core installation optionWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012 (Server Core installation)Windows Server 2012 R2 (Server Core installation)Advisory FAQWhat is the scope of the advisory? The purpose of this advisory is to notify customers that Microsoft is aware of detailed information describing a new method to exploit a vulnerability affecting SSL 3.0. This vulnerability is an information disclosure vulnerability.How could an attacker exploit the vulnerability? In a man-in-the-middle (MiTM) attack, an attacker could downgrade an encrypted TLS session forcing clients to use SSL 3.0 and then force the browser to execute malicious code. This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cypher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g. authentication cookies).What might an attacker use this vulnerability to do? An attacker who successfully exploited this vulnerability could decrypt portions of the encrypted traffic.What causes the vulnerability? The vulnerability is caused by a weakness in the CBC encryption algorithm used in SSL 3.0.What is SSL? Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security over the Internet. SSL encrypts the data transported over the network, using cryptography for privacy and a keyed message authentication code for message reliability.What is TLS?Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or on intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.Is TLS affected by this issue?No. This issue is specific to SSL 3.0.Is this an industry-wide issue? Yes. The vulnerability resides in the design of the SSL 3.0 protocol and is not limited to Microsofts implementation.Suggested ActionsApply WorkaroundsWorkarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Group Policy You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Turn Off Encryption Support Group Policy Object. Open Group Policy Management. Select the group policy object to modify, right click and select Edit. In the Group Policy Management Editor, browse to the following setting: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page -> Turn Off Encryption Support Double-click the Turn off Encryption Support setting to edit the setting. Click Enabled. In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2". Click OK.Dn818467.note(en-us,Security.10).gifNote:Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.Dn818467.note(en-us,Security.10).gifNote:Warning After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and dont support TLS 1.0, TLS 1.1, and TLS 1.2. Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Advanced Security settings in Internet Explorer. To change the default protocol version to be used for HTTPS requests, perform the following steps: On the Internet Explorer Tools menu, click Internet Options. In the Internet Options dialog box, click the Advanced tab. In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available). Click OK. Exit and restart Internet Explorer.Dn818467.note(en-us,Security.10).gifNote:Warning After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and dont support TLS 1.0, TLS 1.1, and TLS 1.2. https://technet.microsoft.com/en-us/library/security/3009008.aspx Link to comment Share on other sites More sharing options...
SPECTRUM Posted October 15, 2014 Share Posted October 15, 2014 and SSL 2.0 should be disabled too ? Link to comment Share on other sites More sharing options...
brain_death Posted October 16, 2014 Share Posted October 16, 2014 and SSL 2.0 should be disabled too ?Very much, yes... :o Link to comment Share on other sites More sharing options...
clubhouse Posted October 16, 2014 Share Posted October 16, 2014 SSL 3.0 vulnerability discovered. Find out how to protect yourselfhttp://www.ghacks.net/2014/10/15/ssl-3-0-vulnerability-discovered-find-out-how-to-protect-yourself/ Link to comment Share on other sites More sharing options...
SPECTRUM Posted October 16, 2014 Share Posted October 16, 2014 ok, the steps are simple thenand SSL 2.0 should be disabled too ? Very much, yes... :o ok, then the workaround is simple :P disable SSL 2.0 and SSL 3.0 completely, and only leave enabled TLS 1.0, TLS 1.1 and TLS 1.2. Link to comment Share on other sites More sharing options...
brain_death Posted October 16, 2014 Share Posted October 16, 2014 ok, then the workaround is simple :Pdisable SSL 2.0 and SSL 3.0 completely, and only leave enabled TLS 1.0, TLS 1.1 and TLS 1.2.Do this in every browser you're running, in Thunderbird and Java if you use them...If you are running a server the list gets bigger. Apache, Nginx and more - if you also maintain a mailserver. :uhuh: Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.