Poodle Vulnerability and Microsoft iis Servers and Shell Shock

People are still busy going through previous projects and installations the growing number of threats offered by the Shell Shock vulnerability, with the list of exploits are constantly growing here.

Well I didn’t quite drop everything, but within 24 hours I had patched the only 6 servers I am responsible for that were vulnerable. A couple of each SMTP relay and  DNS servers management pages and ImageFolio.net and its backup. Running:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

in shell, remotely or in a terminal told me they were vulnerable.

sudo apt-get install –only-upgrade bash

Fixed them all up, except for one that threw the most unuseful error I have seen in a while:

E: Sense only is not understood, try true or false.

Removing the “–only-upgrade” fixed that, still if anyone knows what that error is about, please let me know.

This site as well as a large number of blogs I am responsible for are all managed by the hosting companies, they take responsibility for upgrading OS components such as Bash which all the big hosting vendors have already done, and anyway this site is behind a firewall that uses signatures to block malicious attacks such as this.

Actually the application servers such as I patched are going to be the easiest to upgrade, I’m looking at my ISP supplied cable router, and that’s vulnerable but without going to great effort and probably breaking some terms of service, the easiest thing to do is just disable all access from the public side.

But that disclosure was more than a month ago.

Today we have a new one, an email this morning from Microsoft, and widely reported.

evil-poodleAnd unlike HeartBleed, no cool logo, until something better comes along I will offer this cute puppy.

Poodle is a vulnerability of SSL3, which has been considered a weak cipher for a while, but the work involved to exploit meant most people left it alone. Microsoft’s advisory 3009008 has some workarounds, but editing group policy will not work or even be available in  all Windows environments. I have gone over a couple of past projects and installations using this Poodle Scanner and found the only option is a regedit, and while you are at it, you might as well remove all weak ciphers, here is how.

Copy this text to a notepad file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
“Enabled”=dword:00000000

Save the file as RemoveWeakCiphers.reg, right click the saved file and select Merge.

I think this particularly important to carry out on Exchange Servers, I know of many that are still running on SBS or Server 2003 and 2007 that will be vulnerable and likely will not be further supported by Microsoft, it’s an easy fix.

One thought on “Poodle Vulnerability and Microsoft iis Servers and Shell Shock”

Leave a Reply

Your email address will not be published. Required fields are marked *