Tried, Tested and Proven

SChannel (or Secure Channel) is a proprietary Windows Security Support Provider (SSP) that contains a set of Security Protocols used primarily to secure HTTP connections through SSL and TLS.

Following the renowned `Shellshock’ vulnerability, which affected Linux, there have been several vulnerabilities claiming to be called `Winshock`. CVE-2014-6321 has not been an exception to this trend and is the third such issue to receive the denomination this year. Care should therefore be taken to ensure that this issue is not mistaken for other vulnerabilities claiming to be `WinShock’ such as CVE-2014-6332 (a vulnerability in Windows OLE Automation Array) and this CMD Command Execution.

Microsoft has flagged the issue as Critical and it has been reported to occur upon receiving a specially crafted packet. The advisory by Microsoft provides minimal technical details but specifies that both SChannel clients and servers are vulnerable. No known public exploits are available at the moment.

What does it expose?

Any client application using the SChannel implementation of SSL/TLS would be vulnerable. A user browsing with Internet Explorer for example (relying on SChannel) would be vulnerable to the client side exploitation of this vulnerability. In addition to this, even if the user had no applications running over SChannel, they would still be vulnerable to compromised sites, which may be modified in a manner to enable web-based attacks.

System administrators should be aware that there is a risk that any service relying on SChannel may facilitate the compromise of your Windows systems and Networks. Many Windows services run over the SChannel implementation, such as Active DirectoryCommon, IIS, Exchange, RDP and Windows Update. The Client Certificate Authentication functionality of SChannel is also vulnerable to CVE-2014-6321. Applying the patch requires rebooting the system, which may be an issue for critical systems.

Who is affected?

The vulnerable code within SChannel is included in all recent (unpatched) Windows versions. The affected ( supported) systems are:

  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008 and 2008 R2
  • Windows 7
  • Windows 8 and 8.1
  • Windows Server 2012 and 2012 R2
  • Windows RT and RT 8.1

What can I do?

Microsoft has released a security update which addresses the vulnerability by sanitising the specially crafted packets that trigger the issue. To protect against the SChannel vulnerability Portcullis Security recommends updating your affected Windows systems as soon as possible.

The following mitigations can also be applied:

  • Services using SSL should, if possible, be protected by a non-Windows SSL proxy device.
  • Forbid uncontrolled access over the internet to RDP services at firewall level –this was Portcullis’ advice even before this latest vulnerability, however, it is worth reiterating in light of this issue.
  • Where appropriate, disable client side certificate authentication in IIS – it has been suggested that this vulnerability can be triggered even on services that don’t actually support client certificate authentication, however, Portcullis’ advice has always been to reduce the functional attack surface wherever possible.


It should however be noted that mitigation is not the same as remediation. The only solution that addresses CVE-2014-6321 directly is the patch provided by Microsoft.