CVE-2015-6112

Name of the Vulnerable Software and Affected Versions Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 and R2 SP1 Microsoft Windows 7 SP1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Gold and R2 Microsoft Windows RT Gold and 8.1

Description The issue is related to a lack of required extended master-secret binding support in SChannel, allowing man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack". This is due to insufficient input validation in the Schannel component, which can be exploited by a remote attacker to gain access to protected information by conducting a "man-in-the-middle" attack based on errors in the X.509 protocol. An attacker could impersonate a victim on any other server that uses the same credentials as those used between the client and server where the attack is initiated, by first performing a man-in-the-middle attack between the client and a legitimate server.

Recommendations For Microsoft Windows Vista SP2, consider disabling the Schannel component until a patch is available. For Microsoft Windows Server 2008 SP2 and R2 SP1, restrict access to the TLS protocol to minimize the risk of exploitation. For Microsoft Windows 7 SP1, avoid using the same credentials across multiple servers to reduce the impact of a potential attack. For Microsoft Windows 8, Microsoft Windows 8.1, Microsoft Windows Server 2012 Gold and R2, and Microsoft Windows RT Gold and 8.1, apply configuration changes to the SChannel component to ensure proper validation of X.509 certificates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.