Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vulnerability in Schannel Could Allow Remote Code Execution MS14-066 - Critical

L4 Transporter

Hello

Some bad news ... this time addressed to Windows Systems

https://technet.microsoft.com/library/security/MS14-066

and some news SChannelShenanigans - Pastebin.com

At the moment this volnureablity isnt covered by thread prevention. We must wait some time. Probably until tommorow because this is critical volnureability and PA last time very quicly responded to such problems.

Regards

Slawek

7 REPLIES 7

L4 Transporter

and finally we got it!

Version 469 Content Release Notes

Regards

Slawek

Not applicable

MS14-066 is *not* addressed in PAN Threat Release Version 469.  Although it is an emergency release, new filters are added for MS14-064 + MS14-065.  MS14-066 is still nowhere to be found. 


Any idea when is this expected?

FYI - for folks that are also TippingPoint customers, this is covered in Digital Vaccine #DV8633, released on November 11, 2014.


-Matt

--

*********************************************************

This DV includes coverage for the Microsoft Security

Bulletins released on November 11, 2014. The

following table maps TippingPoint filters to the

Microsoft Bulletins.

Bulletin #          TippingPoint Filter #

*********************************************************

MS14-065            16492*,16552*,16556*,16559*,16561*,16857*,16944*,16954,16955,16956*,16957,16960,16968

MS14-064            16926,16946

MS14-066            16961

MS14-069            16945,16950,16953

16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability

    Category: Vulnerabilities

    CVE: 2014-6321,

    Description:           

     This filter detects an attempt to exploit a buffer overflow

     vulnerability in Microsoft Secure Channel (SChannel) security

     package.

    Use of RECOMMEND action as category setting will cause this filter to be:

     Disabled in default deployments.

     Enabled with the "block+notify" action set in aggressive deployments.

     Enabled with the "block+notify" action set in hyper-aggressive deployments.

16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability

    Category: Vulnerabilities

    CVE: 2014-6321,

    Description:           

     This filter detects an attempt to exploit a buffer overflow

     vulnerability in Microsoft Secure Channel (SChannel) security

     package.

    Use of RECOMMEND action as category setting will cause this filter to be:

     Disabled in default deployments.

     Enabled with the "block+notify" action set in aggressive deployments.

     Enabled with the "block+notify" action set in hyper-aggressive deployments.

L2 Linker

Good news! Finally PANOS has got coverage for MS14-066 on content release 470. Just downloaded and confirmed the release containing the 5 threat ids. Please take a look at the release notes below and update your PANOS firewall to get the coverage.

Version 470 Content Release Notes

L7 Applicator

FYI..

app-id-470.JPG

L2 Linker

To protect web servers with this threat signature, do we need to have SSL inbound inspection enabled?

Hi RyanF,

In SSL inbound decryption, PAN device uses server’s certificate and private key to decrypt the traffic between client and server. PAN doesn't terminate the TCP connections and doesn't modify packets’ data. Therefore the attack packets will reach the servers intact even if you have SSL inbound decryption. The signature should work with/without the decryption in place by mitigating the attack traffic at it hits the PAN before it reaches the destination servers. I hope that answers your question.

Regards,

Bezabih

Awesome!  Thank you for the quick response!  You saved me a call to support.  Smiley Happy

  • 4094 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!