Skip to main content

Microsoft SChannel Remote Code Execution Vulnerability

Issue

Microsoft has released a security update in response to a privately reported vulnerability (MS14-066) in the Microsoft Secure Channel (SChannel) security package in Windows which can allow remote attackers to execute arbitrary code against Windows Servers via crafted packets. This vulnerability has a CVSS base score of 10 (High), and the security update from Microsoft is rated as critical for all supported release of Windows.

Notice

SecureAuth has completed functionality testing of the MS14-066 security update against SecureAuth IdP 8.x running on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 based appliances. At this time, no issues have been encountered with the application of the MS14-066 security update. SecureAuth is in the process of completing functional testing on earlier supported versions of SecureAuth IdP.

Applies to

SecureAuth IdP Version

OS Version

7.x+

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

Resolution

Due to the severity of this vulnerability, SecureAuth recommends all customers test the Microsoft MS14-066 security update, and upon successful testing, apply this update to all SecureAuth IdP appliances as soon as possible.

Further information on the vulnerability – as well as a complete list of all impacted versions of Windows Servers – can be found in Microsoft Security Bulletin MS14-066

Contact SecureAuth Support with questions regarding this issue

Reference

Further details on the assessment of this vulnerability can be found at the NIST NVD website