On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE-2014-3566)?

Question

How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?

Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?

There is a Microsoft Fix it 50495 on the MS KB page you linked to. — MattBianco, Oct 16 '14 at 07:59
I tried running Fix it 50495 on Windows 2008, and it failed with error "This Microsoft Fix it does not apply to your operating system or application version." Oh well. — Josh, Oct 20 '14 at 15:34

score 58 · Accepted Answer · answered Oct 15 '14 at 18:26

58

There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.

To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server) create a DWORD value named Enabled and leave it set at 0.

Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0 in the above registry path.

I haven't tested all versions, but I think it's probably safe to assume that a reboot is necessary for this change to take effect.

answered Oct 15 '14 at 18:26

Evan Anderson

142,379

3

reboot not necessary on Windows Server 2012 at least. you can verify before and after at http://poodlebleed.com/ by entering your URL and 443 for SSL port – Simon Oct 31 '14 at 00:49
Thanks, Do you know if I should disable PCT as well since its allegedly disabled by default and yet not disabled in this way ? – Mark Broadhurst Nov 04 '14 at 11:52
@Simon, is there something else you have to do to get the changes to take effect? I just made the registry updates on a Server 2012 machine, but it's still getting reported that SSL3 is enabled. – Abe Miessler Dec 18 '14 at 17:37
I don't believe so. I'm assuming you're using iis and my Apache and you checked usjng that website. And you're sure you have the exact right registry key? – Simon Dec 18 '14 at 17:39
NOT apache (I don't know where 'my Apache' came from!)

Simon

Dec 20 '14 at 01:08

score 24 · Answer 2 · edited Apr 13 '17 at 12:14

Just for ease of installation I derived this "disable ssl 2 and 3.reg" file from Evan's answer above:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

score 12 · Answer 3 · edited Apr 01 '15 at 13:19

12

Powershell to disable SSL2 and SSL3:

2..3 | %{ New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL $_.0\Server" -Name Enabled -PropertyType "DWORD" -Value 0 -Force }

edited Apr 01 '15 at 13:19

Community

1

answered Oct 17 '14 at 01:23

Vasili Syrakis

4,638

Unfortunately the above only works if the registry subkeys are already present. Would be nice to see PS that can create them if not exists or update them if they do. – Jaans Oct 19 '14 at 23:50
Are you sure? Mine creates them for me. It might differ on lower versions of Powershell and Windows (I'm using v2 on Server 2008 R2) – Vasili Syrakis Oct 19 '14 at 23:51
2

Yup... see screenshot uploaded to: http://i.imgur.com/rctFH4D.png Using PS 3.0 and WSMan 3.0. – Jaans Oct 19 '14 at 23:54

score 9 · Answer 4 · answered Oct 28 '14 at 21:21

9

There is a free utility from Nartac that you can use to disable the protocols.

https://www.nartac.com/Products/IISCrypto/Default.aspx

answered Oct 28 '14 at 21:21

DrundoSoft

99

Kazi · Answer 5 · 2014-10-20T15:53:30.433

Here's a PowerShell that will test for the presence of the registry keys, create them if needed, and then enter the necessary values to disable SSL 2.0 and SSL 3.0

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'


If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}

If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
   New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
   New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force 

If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}

If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
   New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
   New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force

This can be deployed using SCCM or command line - just be sure to run the SCCM job or command line as Administrator. Some websites with the registry information indicate that a reboot is required after the registry keys are created and/or modified.

score 4 · Answer 6 · answered Oct 21 '14 at 18:47

4

Or grab a copy of IISCrypto and click the best practices button, then uncheck SSL 3.0 and then apply, then reboot

answered Oct 21 '14 at 18:47

Tom

41

score 3 · Answer 7 · answered Dec 15 '14 at 23:22

You don't have to disable SSL3. You can enable SSL3 and have POODLE mitigated.

# Copy and paste this in PowerShell then restart your server
$cipherSuitesOrder = @(
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_RSA_WITH_AES_128_CBC_SHA',
    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    'TLS_RSA_WITH_AES_256_CBC_SHA',
    'TLS_RSA_WITH_RC4_128_SHA',
    'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384'
)
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' \
-name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null

With these settings you would still have IE6 support (with SSLv3 using RC4) and have a more than acceptable configuration security wise. Only IE6 and really old client would be using SSLv3 or RC4 ciphers.

David Thomas · Answer 8 · 2015-05-27T12:03:55.200

3

There's a good PowerShell script that helps with IIS 7.5 & 8 configuration:

This PowerShell script setups your Microsoft Internet Information Server 7.5 and 8.0 (IIS) to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules.

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

edited May 27 '15 at 12:03

answered May 27 '15 at 09:40

David Thomas

410

Hmm, not sure why this was down voted. I used that utility myself and it works perfectly. – David Thomas May 28 '15 at 07:18
This looks good but at least one guy has had problems after running it - don't know if it's isolated seen other people say it's great. – Mark Oct 08 '15 at 22:20

On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE-2014-3566)?

8 Answers8

Linked

On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE­-2014­-3566)?

8 Answers8

Linked

On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE-2014-3566)?