Reference: CERT-EU Security Advisory 2014-248 Title: IMPORTANT: Critical Vulnerability in Schannel Could Allow Remote Code Execution (KB2992611) CVE-2014-6321 Version history: 11.11.2014 Initial publication. Dear Colleagues, Overview: ========= A privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows has been found. SCHANNEL is the standard SSL library that ships with Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. Microsoft also assigned this vulnerability an exploitability of "1", indicating that an exploit is likely going to be developed soon. [2] For more information about this update, see Microsoft Security Bulletin MS14-066)[1] Affected Software: =========== Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8 and Windows 8.1 Windows Server 2012 and Windows Server 2012 R2 Windows RT and Windows RT 8.1 Details: =============== A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. FAQ: What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could run arbitrary code on a target server. How could an attacker exploit the vulnerability? An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server. What systems are primarily at risk from the vulnerability? Server and workstation systems that are running an affected version of Schannel are primarily at risk - i.e. anything that runs SSL services on Windows (e.g., web servers, mail servers, etc.) Recommendations: =============== Apply update immediately. Mitigating Factors: Microsoft has not identified any mitigating factors for this vulnerability. Workarounds: Microsoft has not identified any workarounds for this vulnerability. References: =========== [1] https://technet.microsoft.com/library/security/MS14-066 [2] http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html