SChannel (or Secure Channel) is a proprietary Windows Security Support Provider (SSP) that contains a set of Security Protocols used primarily to secure HTTP connections through SSL and TLS.
Following the renowned `Shellshock’ vulnerability, which affected Linux, there have been several vulnerabilities claiming to be called `Winshock`. CVE-2014-6321 has not been an exception to this trend and is the third such issue to receive the denomination this year. Care should therefore be taken to ensure that this issue is not mistaken for other vulnerabilities claiming to be `WinShock’ such as CVE-2014-6332 (a vulnerability in Windows OLE Automation Array) and this CMD Command Execution.
Microsoft has flagged the issue as Critical and it has been reported to occur upon receiving a specially crafted packet. The advisory by Microsoft provides minimal technical details but specifies that both SChannel clients and servers are vulnerable. No known public exploits are available at the moment.
Any client application using the SChannel implementation of SSL/TLS would be vulnerable. A user browsing with Internet Explorer for example (relying on SChannel) would be vulnerable to the client side exploitation of this vulnerability. In addition to this, even if the user had no applications running over SChannel, they would still be vulnerable to compromised sites, which may be modified in a manner to enable web-based attacks.
System administrators should be aware that there is a risk that any service relying on SChannel may facilitate the compromise of your Windows systems and Networks. Many Windows services run over the SChannel implementation, such as Active DirectoryCommon, IIS, Exchange, RDP and Windows Update. The Client Certificate Authentication functionality of SChannel is also vulnerable to CVE-2014-6321. Applying the patch requires rebooting the system, which may be an issue for critical systems.
The vulnerable code within SChannel is included in all recent (unpatched) Windows versions. The affected ( supported) systems are:
Microsoft has released a security update which addresses the vulnerability by sanitising the specially crafted packets that trigger the issue. To protect against the SChannel vulnerability Portcullis Security recommends updating your affected Windows systems as soon as possible.
The following mitigations can also be applied:
It should however be noted that mitigation is not the same as remediation. The only solution that addresses CVE-2014-6321 directly is the patch provided by Microsoft.