Security Thoughts: Vulnerability in SChannel allows security bypassing (Important, FREAK, MS15-031, CVE-2015-1637)

In recent days, a new attack vector, called the FREAK technique, that facilitates SSL/TLS Man-in-the-Middle (MitM) attacks was in the news. Microsoft has confirmed that its implementations of SChannel in Windows and Windows Server are also vulnerable to this attack method and has released updates for all its supported Operating Systems.

 

About FREAK

On Tuesday, March 3, 2015, researchers announced a new way to more easily perform Man-in-the-Middle attacks using SSL/TLS vulnerability dubbed the ‘Factoring RSA Export Keys’ or FREAK technique. This way they could intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

The FREAK attack is possible when a vulnerable browser connects to a susceptible web server – a server that accepts EXPORT-grade encryption.

This EXPORT-grade encryption was issued by the U.S. government in the nineties, to avoid export of hard encryption methods. Instead, only the weaker EXPORT-grade encryption methods were allowed to be exported:

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC4_40_MD5

Rumor has it, that this enabled the U.S. government to continue spying on everyone.

Today, these export restrictions no longer apply and we shouldn’t be using or offering these weak encryption methods. But alas, by default, we still do for (m)any legacy software that needs it. Since it’s still available by default in client systems, these systems can be ‘tricked’ into accepting the EXPORT-grade RSA keys with shorter key lengths (512 bits) than the originally negotiated key lengths (1024bits and up), facilitated by the publicly disclosed FREAK technique.

Although many Operating Systems are vulnerable, in Windows and Windows Server Operating System, this vulnerability is in Secure Channel (Schannel).

 

KB3046049

This security update resolves the above vulnerability in Microsoft Windows and Windows Server, when using the publicly disclosed FREAK technique.

Affected Operating Systems

All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:

  • Windows Vista with Service Pack 2
  • Windows Vista x64 with Service Pack 2
  • Windows 7 with Service Pack 1
  • Windows 7 x64 with Service Pack 1
  • Windows 8
  • Windows 8 x64
  • Windows 8.1
  • Windows 8.1 x64
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2003 with Service Pack 2
  • Windows Server 2003 x64 with Service Pack 2
  • Windows Server 2003 for Itanium-based Systems with Service Pack 2
  • Windows Server 2008 with Service Pack 2
  • Windows Server 2008 x64 with Service Pack 2
  • Windows Server 2008 for Itanium-based Systems with Service Pack 2
  • Windows Server 2008 R2
  • Windows Server 2008 R2 for Itanium-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2

The update is also applicable to Server Core installations, although not many admins would actually use these machines for web browsing…

Problem with previous workaround

If you applied the workaround that was documented in Microsoft Security Advisory 3046015, some internet services may no longer work. To avoid this issue, undo the workaround before you install this security update. To undo the workaround, follow these steps:

  1. Start the Group Policy Object Editors. To do this, type gpedit.msc at a command prompt, and then press Enter.
  2. Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
  3. Under SSL Configuration Settings, double-click SSL Cipher Suite Order.
  4. In the SSL Cipher Suite Order window, select Disabled, and then click OK.
  5. Close the Group Policy Object Editor, and then restart your computer.

Concluding

Although Microsoft has identified a workaround, I urge you to install KB3046049 in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all devices within the networking environment.

For devices from other manufactures, like Google Android and Apple iOS-based devices, please refer to the websites of these manufacturers for updates addressing the SSL/TLS RSA-to-RSA_EXPORT vulnerability.

Additionally, when you run web servers with SSL/TLS-secured web sites, please configure them to no longer accept any of the encryption methods, or cipher suites, listed above.

Further reading

Microsoft Security Bulletin MS15-031 – Important
Microsoft Security Advisory 3046015
FREAK Attack: The Chickens of ‘90s Crypto Restriction Come Home to Roost
“FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection
Attack of the week: FREAK (or 'factoring the NSA for fun and profit')
Microsoft: All Windows versions Vulnerable to FREAK Vulnerability
Microsoft warns Windows PCs also vulnerable to 'Freak' attacks
US Cert – FREAK SSL/TLS Vulnerability

Related KnowledgeBase articles

3046049 MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015

One Response to Security Thoughts: Vulnerability in SChannel allows security bypassing (Important, FREAK, MS15-031, CVE-2015-1637)

  1.  

    The patch is much better than the workaround.

    The workaround removes some ciphers which may be used by some common web sites, system software, admin portals, etc.
    Those ciphers are not vulnerable.

    The patch does not remove those ciphers, like

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA

    You may find many software and websites use these cipher suites to communicate at this moment.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.