11-12-2014 12:16 PM
Hello
Some bad news ... this time addressed to Windows Systems
https://technet.microsoft.com/library/security/MS14-066
and some news SChannelShenanigans - Pastebin.com
At the moment this volnureablity isnt covered by thread prevention. We must wait some time. Probably until tommorow because this is critical volnureability and PA last time very quicly responded to such problems.
Regards
Slawek
11-14-2014 08:24 AM
MS14-066 is *not* addressed in PAN Threat Release Version 469. Although it is an emergency release, new filters are added for MS14-064 + MS14-065. MS14-066 is still nowhere to be found.
Any idea when is this expected?
FYI - for folks that are also TippingPoint customers, this is covered in Digital Vaccine #DV8633, released on November 11, 2014.
-Matt
--
*********************************************************
This DV includes coverage for the Microsoft Security
Bulletins released on November 11, 2014. The
following table maps TippingPoint filters to the
Microsoft Bulletins.
Bulletin # TippingPoint Filter #
*********************************************************
MS14-065 16492*,16552*,16556*,16559*,16561*,16857*,16944*,16954,16955,16956*,16957,16960,16968
MS14-064 16926,16946
MS14-066 16961
MS14-069 16945,16950,16953
16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability
Category: Vulnerabilities
CVE: 2014-6321,
Description:
This filter detects an attempt to exploit a buffer overflow
vulnerability in Microsoft Secure Channel (SChannel) security
package.
Use of RECOMMEND action as category setting will cause this filter to be:
Disabled in default deployments.
Enabled with the "block+notify" action set in aggressive deployments.
Enabled with the "block+notify" action set in hyper-aggressive deployments.
16961: DTLS: Microsoft SChannel Cookie Length Buffer Overflow Vulnerability
Category: Vulnerabilities
CVE: 2014-6321,
Description:
This filter detects an attempt to exploit a buffer overflow
vulnerability in Microsoft Secure Channel (SChannel) security
package.
Use of RECOMMEND action as category setting will cause this filter to be:
Disabled in default deployments.
Enabled with the "block+notify" action set in aggressive deployments.
Enabled with the "block+notify" action set in hyper-aggressive deployments.
11-14-2014 08:49 PM
Good news! Finally PANOS has got coverage for MS14-066 on content release 470. Just downloaded and confirmed the release containing the 5 threat ids. Please take a look at the release notes below and update your PANOS firewall to get the coverage.
11-14-2014 10:34 PM
Hi RyanF,
In SSL inbound decryption, PAN device uses server’s certificate and private key to decrypt the traffic between client and server. PAN doesn't terminate the TCP connections and doesn't modify packets’ data. Therefore the attack packets will reach the servers intact even if you have SSL inbound decryption. The signature should work with/without the decryption in place by mitigating the attack traffic at it hits the PAN before it reaches the destination servers. I hope that answers your question.
Regards,
Bezabih
11-14-2014 10:36 PM
Awesome! Thank you for the quick response! You saved me a call to support. 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
