Understanding the Functionality of Critical Security Patches
Learn the importance of critical security patches and how they protect your systems from cyber threats.
Written by Noah Garland
Updated at December 11th, 2024
- User Manual
- Agents
- The Cyber Risk Assessment Process
- API Documents
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- CYRISMA Change Log
- Support Ticket SLA
- Onboarding Framework
- PSA Integrations
- Billing Questions
- Self Onboarding Guide
Table of Contents
This document provides an overview of the functionality of four essential patches implemented to address critical vulnerabilities in SSL/TLS protocols, cipher suites, and digital signature validation. Below, we detail the root causes, related CVEs, descriptions, and registry configurations for each patch.
Disabling Obsolete SSL Versions (POODLE Vulnerability)
- Root Cause: Obsolete SSL version (SSL 3.0) enabled.
- CVE: CVE-2014-3566
- Description: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
- Remediation: This patch disables SSL 3.0 to prevent its use in communication protocols.
- Registry Changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
Disabling Obsolete TLS Versions (Sweet32 Vulnerability)
- Root Cause: Obsolete TLS versions (TLS 1.0 and TLS 1.1) enabled.
- CVE: CVE-2016-2183
- Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
- Remediation: This patch disables TLS 1.0 and TLS 1.1 protocols.
- Registry Changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
Disabling Weak Cipher Suites
- Root Cause: Weak Cipher Suites (e.g., DES, RC4) enabled.
- CVE: CVE-CRSM-0001
- Description: Weak cipher suites like DES, RC4, and NULL encryption provide insufficient security and are deprecated.
- Remediation: This patch disables all weak cipher suites.
- Registry Changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
@="NCRYPT_SCHANNEL_INTERFACE"
"Functions"=hex(7):54,00,4c,00,53,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,\
36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,\
00,54,00,4c,00,53,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,\
47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,\
00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,\
41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,\
00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,\
00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,\
00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,\
5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,32,\
00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,\
5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,\
00,5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,\
33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,\
00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,\
53,00,5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,\
00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,\
45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,\
00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,\
53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,\
00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,\
54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,00,42,\
00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,\
5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,\
00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,\
42,00,43,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,\
00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,\
49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,\
00,42,00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,\
53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,\
00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,\
36,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,\
00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,\
5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,\
00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,\
5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,\
00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,\
42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,\
00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,\
5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,00,42,00,43,00,5f,\
00,53,00,48,00,41,00,00,00,00,00
Enabling WinTrust Certificate Padding Check
- Root Cause: WinTrust EnableCertPaddingCheck was disabled.
- CVE: CVE-2013-3900
- Description: The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."
-
Remediation: This patch enables the
EnableCertPaddingChecksetting to ensure proper validation. - Registry Changes:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"