Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

Reply
Highlighted
L4 Transporter

Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

Hello

Some bad news ... this time addressed to Windows Systems

https://technet.microsoft.com/library/security/MS14-066

and some news SChannelShenanigans - Pastebin.com

At the moment this volnureablity isnt covered by thread prevention. We must wait some time. Probably until tommorow because this is critical volnureability and PA last time very quicly responded to such problems.

Regards

Slawek

Tags (1)
L4 Transporter

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

and finally we got it!

Version 469 Content Release Notes

Regards

Slawek

Not applicable

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

MS14-066 is *not* addressed in PAN Threat Release Version 469.  Although it is an emergency release, new filters are added for MS14-064 + MS14-065.  MS14-066 is still nowhere to be found. 


Any idea when is this expected?

FYI - for folks that are also TippingPoint customers, this is covered in Digital Vaccine #DV8633, released on November 11, 2014.


-Matt

--

*********************************************************

This DV includes coverage for the Microsoft Security

Bulletins released on November 11, 2014. The

following table maps TippingPoint filters to the

Microsoft Bulletins.

Bulletin #          TippingPoint Filter #

*********************************************************

MS14-065            16492*,16552*,16556*,16559*,16561*,16857*,16944*,16954,16955,16956*,16957,16960,16968

MS14-064            16926,16946

MS14-066            16961

MS14-069            16945,16950,16953

16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability

    Category: Vulnerabilities

    CVE: 2014-6321,

    Description:           

     This filter detects an attempt to exploit a buffer overflow

     vulnerability in Microsoft Secure Channel (SChannel) security

     package.

    Use of RECOMMEND action as category setting will cause this filter to be:

     Disabled in default deployments.

     Enabled with the "block+notify" action set in aggressive deployments.

     Enabled with the "block+notify" action set in hyper-aggressive deployments.

16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability

    Category: Vulnerabilities

    CVE: 2014-6321,

    Description:           

     This filter detects an attempt to exploit a buffer overflow

     vulnerability in Microsoft Secure Channel (SChannel) security

     package.

    Use of RECOMMEND action as category setting will cause this filter to be:

     Disabled in default deployments.

     Enabled with the "block+notify" action set in aggressive deployments.

     Enabled with the "block+notify" action set in hyper-aggressive deployments.

L2 Linker

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

Good news! Finally PANOS has got coverage for MS14-066 on content release 470. Just downloaded and confirmed the release containing the 5 threat ids. Please take a look at the release notes below and update your PANOS firewall to get the coverage.

Version 470 Content Release Notes

L7 Applicator

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

FYI..

app-id-470.JPG

L2 Linker

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

To protect web servers with this threat signature, do we need to have SSL inbound inspection enabled?

L2 Linker

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

Hi RyanF,

In SSL inbound decryption, PAN device uses server’s certificate and private key to decrypt the traffic between client and server. PAN doesn't terminate the TCP connections and doesn't modify packets’ data. Therefore the attack packets will reach the servers intact even if you have SSL inbound decryption. The signature should work with/without the decryption in place by mitigating the attack traffic at it hits the PAN before it reaches the destination servers. I hope that answers your question.

Regards,

Bezabih

L2 Linker

Re: Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

Awesome!  Thank you for the quick response!  You saved me a call to support.  :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!