WinShock: What is it? How to Remediate CVE-2014-6321

In this Whiteboard Wednesday, Justin Pagano, Security Engineer, will discuss the the latest Microsoft high profile vulnerability called WinShock. Learn the details and see how you can remediate CVE-2014-6321. Watch this week's video to learn more.


Video Transcript

Hey, everyone. My name's Justin Pegano. I'm a Security Engineer here at Rapid7 and for today's Whiteboard Wednesday we're going to go over WinShock.

Show more Show less

WinShock is a vulnerability that was recently disclosed by Microsoft on this past Tuesday for their monthly patch Tuesday update. Vulnerability arises in the secure channel package in Windows, which is like Microsoft's version of Open SSL. Secure Channel, which is also known as S Channel, implements SSL and TLS connections for Windows systems.

Now, there aren't a lot of details yet around exactly how WinShock can be exploited or is exploited. All we know is that Microsoft discovered this vulnerability internally during one of their security assessments. They developed a patch for it and at the same time they disclosed the vulnerability they released a patch but the nature of this vulnerability is that it's a remote code execution vulnerability. Vulnerable systems that are running Windows server 2003, 2008, 2012 or Windows Vista, Windows 7, Windows 8 and Windows 8.1 an attacker can send malicious packets to these Windows systems,which, when they're using S Channel to secure a network connection such as HTTPS, the vulnerable system will not properly check those packets and it will process them in such a way that if the attacker injected some commands into those packets, the vulnerable system will execute them, typically with system privileges.

This means that an attacker can successfully retrieve sensitive information or data of a vulnerable system, hijack a system to stage further attacks or delete and destroy data that's on that system and so on and so forth. Basically, they can run arbitrary commands on the system without having to authenticate and that's really the troubling part here. It's somewhat similar to some past remote code execution vulnerabilities that we've seen but thankfully Microsoft did release a patch for it at the same time so what we need to focus on right now is installing that patch. The patch ID is KB2992611. It's available through Windows update. There are a lot of other security vulnerabilities that Microsoft disclosed at the same time they disclosed WinShock. Those patches are also available through Windows update. It'd be well worth your time to go through and apply all of them. There are three other critical vulnerabilities in there that get patched that are also remote code execution vulnerabilities. There's some other important and moderate vulnerabilities that you should also take care of that involve Internet Explorer as well as well as OLE objects in lieu of the recent Sandworm exploit that was published a few weeks ago.

Also, after you're done patching, you can use Nexpose to validate patching has worked and to examine residual exposure that's left over if some patches didn't go through properly. A lot of people again, like, with past vulnerabilities have been asking, "How is this compared to Heartbleed? How is it compared to Shellshock and POODLE and Sandworm?" Like I mentioned before, we don't have a ton of details yet or any evidence yet of this being exploited in the wild or how the exploit works exactly so it's difficult to say really how much worse or how bad WinShock is compared to these past vulnerabilities. What we do know is that remote code execution, being done in an unauthenticated fashion is pretty bad by itself. The CVSS version two score for this vulnerability is a 10 right now, we know that's pretty bad. As more details come out we'll have a better idea of how this ranks against Heartbleed and Shellshock but if the bleed in Heartbleed means unauthorized information disclosure and the shock in Shellshock means remote code execution. This by it's very nature is a shock to S Channel running on Windows. The CV ID is listed up here, CVE 2014-6321 and, again, as we mentioned before, scanning with Nexpose can help you determine how vulnerable you are right now, which can help you target your patching and then afterwards you can do some validation of that patching.

That's it for today. Thanks for joining and we'll see you next week. 

Free InsightVM Trial

Experience the value InsightVM can offer your unique environment with a 30-day free trial.

Get Started