Overview:
Microsoft has announced that a vulnerability which exists in SSL 3.0 and TLS 1.0 could allow information disclosure vulnerability in all the Windows operating systems. This vulnerability is not specific to any particular windows OS but affects the protocol itself. So attackers who intercept the encrypted web traffic served from an affected system can exploit this vulnerability to decrypt portions of encrypted traffic and retrieve information such as authentication cookies. The protocols with cipher suites which don’t use CBC mode of encryption are said to be safe from this attack.
The protocol SSL 3.0 comes disabled by default in Windows 10 version 1607/Windows Server 2016 and above whereas TLS 1.0 will be disabled by default in Windows 10 1709 and above.
CVE assigned:
CVE-2011-3389
Affected Software's:
All the Windows Operating Systems with SSL 3.0 or TLS 1.0 enabled.
Solution:
In-order to mitigate this vulnerability, we can disable these (SSL 3.0 / TLS 1.0) protocols in the system if they are enabled or can use any other protocols (TLS 1.1 and above) where CBC mode of encrytption is not used.
TLS 1.0 Server enabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ‘Enabled=1’
TLS 1.0 Server disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ‘Enabled=0’
TLS 1.0 Client enabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client ‘Enabled=1’
TLS 1.0 Client disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client ‘Enabled=0’
SSL 3.0 Server enabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ‘Enabled=1’
SSL 3.0 Server disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ‘Enabled=0’
SSL 3.0 Client enabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client ‘Enabled=1’
SSL 3.0 Client disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client ‘Enabled=0’
Mitigation using SanerNow,
- Download the CVE-2011-3389_SSL_TLS_fix.zip which is attached.
- Login to SanerNow
- Switch to the account/site specific view
- Use the EM tool to create an Action
- Select 'Software Deployment' feature
- Click on Upload, which is on the upper right corner.
- Click on the 'Open the file Browser', upload 'CVE-2011-3389_SSL_TLS_fix.zip' file and Click on Close.
- Once the uploaded package is visible, Click on 'exclamation mark' as shown in the below diagram.
9. Click on edit in the newly opened window and set the silent option as /S click on 'Update Details' as shown in the below diagram.
10. Select uploaded package and click on install, which is in the upper right corner.
11. Select 'Group' for which we need to apply the workaround and click 'next'
12. Enter the required details and click on 'Create Installation task’ as shown in the below diagram.
Systems need not be rebooted for this change to take effect.
On the next scheduled scan, vulnerabilities will not be reported.
References:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Comments