[2015-03-28 21:49:54] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname com. au, data: remote. mydomainname. com. au

Hi,
My customer is running Microsoft Small Business Server 2008 (Windows Server 2008).

They just received the following message from their ISP.

-----Original Message-----
From: Internet Abuse Team [mailto:abuse@tpg.com.au]
Sent: Tuesday, 31 March 2015 9:24 AM
To: xxxxx@tpg.com.au
Subject: [xxxxxx@tpg.com.au] AISI reported activities

Dear Customer (minera@tpg.com.au),

We have received reports from the ACMA's Australian Internet Security Initiative (AISI) that a machine accessing the Internet using your TPG Service is causing unwanted traffic to be transmitted, such as spam and viruses, or has some other detected vulnerability.

A summary of the last few complaints have been provided below:

[2015-03-28 21:49:54] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-27 19:33:42] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-26 21:01:31] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au
[2015-03-18 13:23:00] [60.242.127.74] Vulnerable Service: HTTPS (POODLE) - remote_port: 443, domain_name: mail. mydomainname. com. au, data: remote. mydomainname. com. au


It may be that your equipment has been compromised by a hacker, some other malicious software has been installed onto your system, or there is some other serious issue that requires your attention. Please obtain an up to date antivirus software and ensure that all your machines are cleaned as a matter of urgency. If you fail to do so and the malicious traffic persists, TPG may take steps to limit it by suspending your service.

For more information about how to protect your computer, please visit the following websites below:

http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative/australian-internet-security-initiative
http://www.staysmartonline.gov.au/computers/secure_your_internet_connection
http://www.staysmartonline.gov.au/home_internet_users/secure_your_computer

If you have any questions about this email or our Terms and Conditions, please contact Customer Service on customer_service@tpg.com.au or
13 14 23.

Thank you.


Kind Regards,

Internet Abuse Team
TPG Internet

E-mail:      abuse@tpg.com.au
Phone:      13 14 23
Fax:      02 9850 0813


Port 443 is actually forwarded to Small Business Server 2008 by their ADSL router.


When I ran a check on their domain I get the following vulnerability about the Poodle vulnerability.......

https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp


remote.mydomainname.com.au
This server may be impacted by the Poodle vulnerability.
This server is safe from the FREAK vulnerability.
This server is safe from the Heartbleed vulnerability.
This server is safe from Poodle (TLS) vulnerability.



Can anyone offer some guidance here ?  Is this something to do with SSL3.0 ?
Michael GreenSenior IT Consultant / IT Project ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zacharia KurianAdministrator- Data Center & NetworkCommented:
Have a look on the below similar post. You need to patch your servers, ASAP.

http://www.experts-exchange.com/Networking/Protocols/SSL/Q_28646336.html


Zac.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
Looks like the Australian Internet Security Initiative have proactively scanned your webserver for a known bug - While I don't entirely approve of organizations doing pentesting against servers without prior approval, in this case, they have identified a significant security issue.

The official Microsoft report (and fix instructions) for POODLE are here and are relatively simple to follow.  POODLE is simply a way of forcing the browser to accept a lower grade of encryption (in this case, the outdated SSLv3 protocol) and the fix is to disable SSLv3 on the browser.  Similarly, back in the mists of time (aka the "golden age" if you work at the NSA :) SSL was required to support "export grade" (i.e. easily breakable) crypto. FREAK is the ability to force a browser or server to use that insecure crypto in place of the one it actually asked for.  Again, there is an official microsoft report and fix here

Both these vulnerabilities require an active man in the middle interception attack to be exploited; for many users, that would be difficult, but there are circumstances (such as free wifi) where this could happen.
Michael GreenSenior IT Consultant / IT Project ManagerAuthor Commented:
Thanks Dave.

If my reading is correct the fix to disable SSL3.0 is :



• Disable SSL 3.0 in Windows  
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1.Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

3.On the Edit menu, click Add Value.
4.In the Data Type list, click DWORD.
5.In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.

6.In the Edit DWORD (32-bit) Value dialog box, type 0 .
7.Click OK. Restart the computer.

 

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.


Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server



The question I have is.....given SBS2008 is getting a little 'long in the tooth' (and older versions such as SBS2003 are now obsolete) are there any Small Business Server specific implications for disabling SSL3.0 ?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Michael GreenSenior IT Consultant / IT Project ManagerAuthor Commented:
I also CANNOT SEE WHERE MICROSOFT HAS RELEASED ANY SPECFIC PATCHES FOR THIS - this is appears to be MANUAL fix so far i.e. registry changes.......is that correct ?
Michael GreenSenior IT Consultant / IT Project ManagerAuthor Commented:
So Zacharia Kurian where are the server 'patches' you refer to ?
Dave HoweSoftware and Hardware EngineerCommented:
There aren't any patches, as it would just be applying the registry keys - I believe there is a fixit, but that's just automation of the manual process (and of course registry keys can be pushed out using GPO, which makes life easier for the busy admin)

There aren't any backend implications as far as I know - 2008 can handle TLS just fine; it is possible schannel on older os (such as xp) could have issues, you might be advised to test that if you are still running stuff that old (or upgrade them of course, but I know it can be hard to find budget for that and all the software upgrades that would be required)

with SBS you may be using schannel also to support ssl for sql connections - if you are using those from legacy workstations (again) you would be advised to test first.  You are of course able to back out these changes if they become problematic, so (with appropriate testing) the risk isn't THAT high.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Disable Vulnerability in SSL 3.0 server wide. (manually editing the registry)

https://technet.microsoft.com/library/security/3009008

Fix for Disable Vulnerability in SSL 3.0 in IE

https://support.microsoft.com/en-us/kb/3009008

Zac
Michael GreenSenior IT Consultant / IT Project ManagerAuthor Commented:
All PCs/laptops are Windows 7 or above.  No XP or SQL Server other than what is used on SBS2008 itself.

So it sounds like no issues with applying this registry fix on SBS2008...... :)
Dave HoweSoftware and Hardware EngineerCommented:
No, Win7 is more than good enough - you should repeat the procedure on Win7 also though, to prevent use of those crypto algos clientside (hence, GPO :D)
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Please check the section "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" in the 1st link provided.

You can disable the vulnerability in IE for the same through GPO, for your windows clients.

Zac.
Michael GreenSenior IT Consultant / IT Project ManagerAuthor Commented:
Zacharia - this was a server only / external vulnerability issue.  I acknowledge that the vulnerability issue exists in browsers etc but in terms of stopping my customer's ISP from spamming them the fixes/changes are all server based.

And I'm assuming from response you are confirming there are no actual software patches for this issue as yet - just registry changes.

Correct ?
Zacharia KurianAdministrator- Data Center & NetworkCommented:
stopping my customer's ISP from spamming them the fixes/changes are all server based.
Correct.

 
there are no actual software patches for this issue as yet

Means "Microsoft Security Advisory" with a workaround and they usually fix the issues with OS updates.

Zac
Dave HoweSoftware and Hardware EngineerCommented:
no patches are needed - you are just disabling algos, and keeping that as a registry config means people with legacy issues retain the choice - which given how much depends on schannel (cisco's anyconnect client, for example) is a significant benefit.
David Johnson, CD, MVPOwnerCommented:
you should get a new intermediate certificate and install it .  you still support rc4 which is a very weak protocol and is considered broken. you do not support perfect forward security. Microsoft has released two updates that re-order your cypher suites and add more cypher suites (the first one was broken and re-released a few days later)

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what?_ga=1.221539352.162631433.1427417447

Certificate chain
    GeoTrust EV SSL CA - G4Intermediate certificate
        GeoTrust Primary Certification AuthorityIntermediate certificate (broken)
            www.tpg.com.auTested certificate

https://www.ssllabs.com/ssltest/analyze.html?d=tpg.com.au
suggest you download and run this script https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.