Feedback
Did this article resolve your question/issue?

   

Article

WinShock Vulnerability (MS14-066, CVE-2014-6321)

« Go Back

Information

 
TitleWinShock Vulnerability (MS14-066, CVE-2014-6321)
URL Namewinshock
Article Number000191121
Environment12.3
Question/Problem Description

This article discusses the Microsoft vulnerability, "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)," announced in security bulletin MS14-066 and CVE-2014-6321, and is also known as WinShock.

Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
An attacker who is able to exploit this vulnerability could potentially run arbitrary code on your machine, which could result in the attacker gaining control of the machine, stealing information, and so forth.

The Microsoft Windows Schannel security provider is the affected component, and many Ipswitch products rely on it for transport encryption (secure communications). We therefore encourage applying the November 2014 patches to all Windows servers and clients.

The November patches also include other critical security fixes, including another remote code execution vulnerability (MS14-064), so please install all of the updates.

Please see these links for more information:

Microsoft Security Bulletin Summary for November 2014
Microsoft Security Bulletin MS014-066
https://support.microsoft.com/kb/2992611
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321
 

Known Issues

We have become aware that this particular WinShock patch, KB2992611, is causing connection problems with the Chrome browser and possibly other clients supporting the TLS 1.2 protocol. It appears that the server must have installed the KB2992611 patch, and both the client and server must have TLS 1.2 enabled, in order to run into potential problems.

Microsoft has updated their support KB page to include instructions to remove new ciphersuites that were included in the update, in order to work-around this issue (look under the Known issues with this security update section).

Disabling these ciphersuites does not mean that you will become susceptible to the WinShock vulnerability. These ciphersuites were added by Microsoft alongside the fix for the WinShock vulnerability in the KB2992611 patch.

While Microsoft's instructions should work if you run into connection problems after installing the update, note that for MOVEit File Transfer (DMZ) administrators and operators, these new ciphersuites can be more easily disabled via the DMZ Config's SSL tab:
 
Workaround
Notes
Last Modified Date5/12/2021 9:30 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.