[2015-03-28 21:49:54] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname com. au, data: remote. mydomainname. com. au
Hi,
My customer is running Microsoft Small Business Server 2008 (Windows Server 2008).
They just received the following message from their ISP.
-----Original Message-----
From: Internet Abuse Team [mailto:abuse@tpg.com.au]
Sent: Tuesday, 31 March 2015 9:24 AM
To: xxxxx@tpg.com.au
Subject: [xxxxxx@tpg.com.au] AISI reported activities
Dear Customer (minera@tpg.com.au),
We have received reports from the ACMA's Australian Internet Security Initiative (AISI) that a machine accessing the Internet using your TPG Service is causing unwanted traffic to be transmitted, such as spam and viruses, or has some other detected vulnerability.
A summary of the last few complaints have been provided below:
[2015-03-28 21:49:54] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-27 19:33:42] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-26 21:01:31] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-18 13:23:00] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
It may be that your equipment has been compromised by a hacker, some other malicious software has been installed onto your system, or there is some other serious issue that requires your attention. Please obtain an up to date antivirus software and ensure that all your machines are cleaned as a matter of urgency. If you fail to do so and the malicious traffic persists, TPG may take steps to limit it by suspending your service.
For more information about how to protect your computer, please visit the following websites below:
http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative/australian-internet-security-initiative
http://www.staysmartonline.gov.au/computers/secure_your_internet_connection
http://www.staysmartonline.gov.au/home_internet_users/secure_your_computer
If you have any questions about this email or our Terms and Conditions, please contact Customer Service on customer_service@tpg.com.a
13 14 23.
Thank you.
Kind Regards,
Internet Abuse Team
TPG Internet
E-mail: abuse@tpg.com.au
Phone: 13 14 23
Fax: 02 9850 0813
Port 443 is actually forwarded to Small Business Server 2008 by their ADSL router.
When I ran a check on their domain I get the following vulnerability about the Poodle vulnerability.......
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
remote.mydomainname.com.au
This server may be impacted by the Poodle vulnerability.
This server is safe from the FREAK vulnerability.
This server is safe from the Heartbleed vulnerability.
This server is safe from Poodle (TLS) vulnerability.
Can anyone offer some guidance here ? Is this something to do with SSL3.0 ?
My customer is running Microsoft Small Business Server 2008 (Windows Server 2008).
They just received the following message from their ISP.
-----Original Message-----
From: Internet Abuse Team [mailto:abuse@tpg.com.au]
Sent: Tuesday, 31 March 2015 9:24 AM
To: xxxxx@tpg.com.au
Subject: [xxxxxx@tpg.com.au] AISI reported activities
Dear Customer (minera@tpg.com.au),
We have received reports from the ACMA's Australian Internet Security Initiative (AISI) that a machine accessing the Internet using your TPG Service is causing unwanted traffic to be transmitted, such as spam and viruses, or has some other detected vulnerability.
A summary of the last few complaints have been provided below:
[2015-03-28 21:49:54] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-27 19:33:42] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-26 21:01:31] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-18 13:23:00] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
It may be that your equipment has been compromised by a hacker, some other malicious software has been installed onto your system, or there is some other serious issue that requires your attention. Please obtain an up to date antivirus software and ensure that all your machines are cleaned as a matter of urgency. If you fail to do so and the malicious traffic persists, TPG may take steps to limit it by suspending your service.
For more information about how to protect your computer, please visit the following websites below:
http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative/australian-internet-security-initiative
http://www.staysmartonline.gov.au/computers/secure_your_internet_connection
http://www.staysmartonline.gov.au/home_internet_users/secure_your_computer
If you have any questions about this email or our Terms and Conditions, please contact Customer Service on customer_service@tpg.com.a
13 14 23.
Thank you.
Kind Regards,
Internet Abuse Team
TPG Internet
E-mail: abuse@tpg.com.au
Phone: 13 14 23
Fax: 02 9850 0813
Port 443 is actually forwarded to Small Business Server 2008 by their ADSL router.
When I ran a check on their domain I get the following vulnerability about the Poodle vulnerability.......
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
remote.mydomainname.com.au
This server may be impacted by the Poodle vulnerability.
This server is safe from the FREAK vulnerability.
This server is safe from the Heartbleed vulnerability.
This server is safe from Poodle (TLS) vulnerability.
Can anyone offer some guidance here ? Is this something to do with SSL3.0 ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dave.
If my reading is correct the fix to disable SSL3.0 is :
• Disable SSL 3.0 in Windows
For Server Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1.Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
3.On the Edit menu, click Add Value.
4.In the Data Type list, click DWORD.
5.In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6.In the Edit DWORD (32-bit) Value dialog box, type 0 .
7.Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server
The question I have is.....given SBS2008 is getting a little 'long in the tooth' (and older versions such as SBS2003 are now obsolete) are there any Small Business Server specific implications for disabling SSL3.0 ?
If my reading is correct the fix to disable SSL3.0 is :
• Disable SSL 3.0 in Windows
For Server Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1.Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
3.On the Edit menu, click Add Value.
4.In the Data Type list, click DWORD.
5.In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6.In the Edit DWORD (32-bit) Value dialog box, type 0 .
7.Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server
The question I have is.....given SBS2008 is getting a little 'long in the tooth' (and older versions such as SBS2003 are now obsolete) are there any Small Business Server specific implications for disabling SSL3.0 ?
ASKER
I also CANNOT SEE WHERE MICROSOFT HAS RELEASED ANY SPECFIC PATCHES FOR THIS - this is appears to be MANUAL fix so far i.e. registry changes.......is that correct ?
ASKER
So Zacharia Kurian where are the server 'patches' you refer to ?
There aren't any patches, as it would just be applying the registry keys - I believe there is a fixit, but that's just automation of the manual process (and of course registry keys can be pushed out using GPO, which makes life easier for the busy admin)
There aren't any backend implications as far as I know - 2008 can handle TLS just fine; it is possible schannel on older os (such as xp) could have issues, you might be advised to test that if you are still running stuff that old (or upgrade them of course, but I know it can be hard to find budget for that and all the software upgrades that would be required)
with SBS you may be using schannel also to support ssl for sql connections - if you are using those from legacy workstations (again) you would be advised to test first. You are of course able to back out these changes if they become problematic, so (with appropriate testing) the risk isn't THAT high.
There aren't any backend implications as far as I know - 2008 can handle TLS just fine; it is possible schannel on older os (such as xp) could have issues, you might be advised to test that if you are still running stuff that old (or upgrade them of course, but I know it can be hard to find budget for that and all the software upgrades that would be required)
with SBS you may be using schannel also to support ssl for sql connections - if you are using those from legacy workstations (again) you would be advised to test first. You are of course able to back out these changes if they become problematic, so (with appropriate testing) the risk isn't THAT high.
Disable Vulnerability in SSL 3.0 server wide. (manually editing the registry)
https://technet.microsoft.com/library/security/3009008
Fix for Disable Vulnerability in SSL 3.0 in IE
https://support.microsoft.com/en-us/kb/3009008
Zac
https://technet.microsoft.com/library/security/3009008
Fix for Disable Vulnerability in SSL 3.0 in IE
https://support.microsoft.com/en-us/kb/3009008
Zac
ASKER
All PCs/laptops are Windows 7 or above. No XP or SQL Server other than what is used on SBS2008 itself.
So it sounds like no issues with applying this registry fix on SBS2008...... :)
So it sounds like no issues with applying this registry fix on SBS2008...... :)
No, Win7 is more than good enough - you should repeat the procedure on Win7 also though, to prevent use of those crypto algos clientside (hence, GPO :D)
Please check the section "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" in the 1st link provided.
You can disable the vulnerability in IE for the same through GPO, for your windows clients.
Zac.
You can disable the vulnerability in IE for the same through GPO, for your windows clients.
Zac.
ASKER
Zacharia - this was a server only / external vulnerability issue. I acknowledge that the vulnerability issue exists in browsers etc but in terms of stopping my customer's ISP from spamming them the fixes/changes are all server based.
And I'm assuming from response you are confirming there are no actual software patches for this issue as yet - just registry changes.
Correct ?
And I'm assuming from response you are confirming there are no actual software patches for this issue as yet - just registry changes.
Correct ?
stopping my customer's ISP from spamming them the fixes/changes are all server based.Correct.
there are no actual software patches for this issue as yet
Means "Microsoft Security Advisory" with a workaround and they usually fix the issues with OS updates.
Zac
no patches are needed - you are just disabling algos, and keeping that as a registry config means people with legacy issues retain the choice - which given how much depends on schannel (cisco's anyconnect client, for example) is a significant benefit.
you should get a new intermediate certificate and install it . you still support rc4 which is a very weak protocol and is considered broken. you do not support perfect forward security. Microsoft has released two updates that re-order your cypher suites and add more cypher suites (the first one was broken and re-released a few days later)
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what?_ga=1.221539352.162631433.1427417447
Certificate chain
GeoTrust EV SSL CA - G4Intermediate certificate
GeoTrust Primary Certification AuthorityIntermediate certificate (broken)
www.tpg.com.auTested certificate
https://www.ssllabs.com/ssltest/analyze.html?d=tpg.com.au
suggest you download and run this script https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what?_ga=1.221539352.162631433.1427417447
Certificate chain
GeoTrust EV SSL CA - G4Intermediate certificate
GeoTrust Primary Certification AuthorityIntermediate certificate (broken)
www.tpg.com.auTested certificate
https://www.ssllabs.com/ssltest/analyze.html?d=tpg.com.au
suggest you download and run this script https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
The official Microsoft report (and fix instructions) for POODLE are here and are relatively simple to follow. POODLE is simply a way of forcing the browser to accept a lower grade of encryption (in this case, the outdated SSLv3 protocol) and the fix is to disable SSLv3 on the browser. Similarly, back in the mists of time (aka the "golden age" if you work at the NSA :) SSL was required to support "export grade" (i.e. easily breakable) crypto. FREAK is the ability to force a browser or server to use that insecure crypto in place of the one it actually asked for. Again, there is an official microsoft report and fix here
Both these vulnerabilities require an active man in the middle interception attack to be exploited; for many users, that would be difficult, but there are circumstances (such as free wifi) where this could happen.