ANEXIA Development and Managed Hosting

WinShock Test wrap-up

Written on December 19, 2014 by Stephan Peijnik

When WinShock (MS14-066, CVE-2014- 6321) came to light on 11th of November this year, our emergency response team, consisting of members of our IT and R&D departments created a small shell script which allowed remote detection of the vulnerability.

After some internal testing we made that script, called winshock-test, available to the general public on GitHub.

Let’s quickly dive into how that script works:

Besides the critical security fix for MS14-066, Microsoft also introduced a set of four new SSL/TLS cipher suites with the corresponding patch (KB2992611).

These newly introduced cipher suites created up a simple way for checking the patch-state for those systems: checking whether those cipher suites are supported by SSL/TLS-based services a host provides or not.

After realizing this fact, we created a script which uses OpenSSL’s s_client functionality and testing if the target service allows negotation of those cipher suites.

Besides the script’s source code, some additional information on this approach can be found inside the README file of the script.

As a few weeks have passed since then, it is time for a short wrap-up. Besides praise from IT-operators from all over the world, it seems as if our script also caught some attention from persons and entities within the information security community.

So, in short our script has been linked to and/or recommended in the following articles (in alphabetical order):

Overall, it is a great feeling that one of our small test tools did not only help other IT-operators, but was also recommended by information security professionals.