Home > AD, WSUS > CVE-2014-6324, MS14-068, and you!

CVE-2014-6324, MS14-068, and you!

By now, you’ve almost certainly heard of the Microsoft Update being released out of band, MS14-068 related to CVE-2014-068, for an in-the-wild Kerberos exploit with some pretty serious ramifications.

Definitely check out this Microsoft Technet Blog post: http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

The relevant portions to me are:

Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible.

And:

The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.

Now, don’t take that to mean my stance is “Meh, don’t patch!”.  Quite the opposite.  As per the article:

Update Priority

  1. Domain controllers running Windows Server 2008R2 and below
  2. Domain controllers running Windows Server 2012 and higher
  3. All other systems running any version of Windows

So get those DC’s patched _now_, and calmly plan to update the remaining servers.

 

But I’ve heard from a number of colleagues/twitter/posts today that this introduces chaos, makes a busy week worse, etc.  Certainly it is critical and important, but I’m not getting the frustration:

  • It immediately only applies to 2008R2 DC’s and lower.  Most Small to Mid size enterprises I know don’t have more than a couple dozen at best, and often many less.  So patch them.
  • You likely don’t have 2012R2 DC’s – for many reasons.  Too many legacy systems that don’t like 2012/2012R2 DC’s, you haven’t had time to get around to it, you haven’t tested, you’re afraid of them, whatever. 
  • They’re DC’s, they’re redundant.  Just patch the bloody things.

But I think it’s that last part that makes people lose their minds.  Folks, if you can’t reboot a DC in your environment, you’ve built a very poor system (or “have” one – maybe you inherited it – it’s still your job to make it better!).  Yes, you should minimize the downtime, so do it in a period of lower activity if you can, but if you have to wait for… 2:00AM on a Sunday, there’s a problem with what you’ve built.  I can probably even guess what these problems are:

  • Even though you likely have Windows Server Datacenter and virtualization (Hyper-V or VMware) for unlimited VM’s, someone is probably all freaked out about “server sprawl” – so you have fewer servers that you could have.
  • Which means you likely aren’t separating out roles
  • So your DC’s are likely serving double exponential duty also serving DNS, and DHCP, and PKI, and RADIUS, and, and, and. 
  • Failover/maintenance has never been tested.  So you have “redundant systems” and maybe tested the failover, in a CONTROLLED fashion – but never tested the equivalent of a “power cord yank”
    Stop doing this. 
    It doesn’t require a $5000 1U server to run a role any more.  Stop building like its 2003.  Server Sprawl is only a problem if you have lousy automation and processes for consistency.  Managing 53 or 153 servers shouldn’t be significantly different.  You SHOULD be able to reboot servers and services at any point in time without concern.  If you cannot, then even if you have multiple, you DO realize you have identified a failure point, right?

If your answer is something along the lines of “But we don’t know the impact it will have…” – seriously?  Why not?  You tested, right?  Your monitoring software will alert you of services or functions that fail when a dependent service fails?  You might have even built in rules to self-heal or scripts to try “the obvious fix”?

Probably not though.  Everyone’s too busy paying 28% “Technical Debt” on the big fancy expensive toys and software they bought that they didn’t get enough people to install completely or got button mashed until it “kinda worked” then the next fire stole the body away.  You know that “Cloud” thing everyone’s talking about and how all the CEO/CIO/Directors/Management “want it” but “don’t know what it does”?  It’s about automation, scale, and self-healing, with growth and shrinking elasticity.  Instead of “wanting it”, it’s time to “build it”. 

Or, we can just keep doing like we’ve always done – chasing the next hot thing, and killing symptoms instead of root causes.  That’s probably what will happen…

 

All that said, MS14-066, which addresses the SChannel issues, that needs to be updated for as well.  But as per many online sources (http://windowsitpro.com/security/ms14-066-months-problem-patch, KB 2992611, http://www.infoworld.com/article/2849292/operating-systems/more-patch-problems-reported-with-the-ms14-066-kb-2992611-winshock-mess.html) there are issues with this update, that have resulted in it getting a re-issue.  Microsoft has a blog post about this as well:

http://blogs.technet.com/b/rmilne/archive/2014/11/13/critical-schannel-vulnerability-ms14-066.aspx

Specific details you care about:

Update 16-11-2014: KB 2992611 has information on known issues.

Update 18-11-2014: V2 of the bulletin was released.  Details from the update:

Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information

So if you’ve already patched, you’ll need to re-patch. 

I wonder if this can be taken to be true:

As of writing, the MSRC and other security assets do not report that there attacks in the wild since the issue was responsibly disclosed to Microsoft. However it is only a matter of time….

Given the issues, and how this is introducing interoperability issues, it may be advisable to give some thought to how fast this update gets rushed into production.

Hope the above information helps, and sorry for my little detour into rant-ville.  I feel better now though, if it matters.

Advertisements
Categories: AD, WSUS
  1. November 19, 2014 at 6:56 AM

    Great insight, I totally agree with your thinking about separating roles and having redundant AD systems. I admin small companies with 10 end users and have 2 AD servers even for something that small.

  2. Jacques Le Roux
    November 20, 2014 at 10:32 AM

    MS14-068 (to address CVE-2014-6324) blocked my Windows VPN. Same for a tunneling SSH, it prevented to open the port back on my machine (when the tunnel is built)

    HTH

  3. Jacques Le Roux
    November 20, 2014 at 10:35 AM

    Forgot to say it was from a Windows 7 machine up to date (before I reverted MS14-068)

  1. November 19, 2014 at 10:07 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: