logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error
Testing & Fixing Poodle on Windows/Linux ScreenConnect servers.
Options
Go to last post Go to first unread
Previous Topic Next Topic
Paul Moore  
#1 Posted : Saturday, October 18, 2014 5:56:15 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
As you're no doubt aware by now, SSLv3 is now officially dead and insecure.

If your ScreenConnect UI uses SSL, visit:
https://www.ssllabs.com/ssltest

Enter your URL and hit "Submit". Wait for the test to complete... it will take roughly 1 minute.

If you're vulnerable to the poodle exploit (by supporting SSLv3 with CBC ciphers and no SCSV fallback support), you'll see
Poodle Screenconnect Fail

It's vital you upgrade immediately.

Linux / Mono

If you use Mono under Linux, I'd suggest moving to NGINX instead. Although it's possible to tweak Mono to remove SSLv3 support, the crypto stack isn't FIPS compliant and it's lacking in many areas. NGINX has full support for OpenSSL, allowing you to disable SSLv3 in your config. If you require SCSV fallback support, you'll also need OpenSSL >= v1.0.1j. SCSV support is enabled automatically, with no changes required to your config. Instructions on configuring NGINX for Screenconnect can be found here: http://forum.screenconne...inux--TLS-and-Nginx.aspx

Linux / Apache

Edit your SSL configuration to mirror:

SSLProtocol All -SSLv2 -SSLv3

Save the file and restart apache.

Windows / IIS

Windows being windows, it's tricky and requires a reboot.

1. Run regedit.
2. Navigate to:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

You should already have an SSL 2.0 branch (if not, you're way out of date!!).

3. Create an SSL 3.0 branch
4. Create a "Server" key and insert a new DWORD called "Enabled" with a value of 0.

It should look like this:
IIS ScreenConnect Poodle

5. Reboot.

--

After you've made the necessary changes, go back to https://www.ssllabs.com/ssltest and run the test again. If all goes well, it'll look like this:
ScreenConnect Poodle Fixed

If you no longer support SSLv3 AND you support SCSV fallback protection, it'll look like this:
ScreenConnect Poodle Fixed w/ SCSV
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
thanks 6 users thanked Paul Moore for this useful post.
Konceptech.net on 10/19/2014(UTC), bnx2014 on 10/20/2014(UTC), Daf on 10/20/2014(UTC), MyKE on 10/20/2014(UTC), sjswarts on 12/8/2014(UTC), gb5102 on 12/16/2014(UTC)

Back to top  
MyKE  
#2 Posted : Monday, October 20, 2014 8:51:27 AM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 5 time(s) in 3 post(s)
Windows: As ScreenConnect uses own web service "ScreenConnect Web Server" lot of people don't have IIS role installed. In result I don't have in regedit SCHANNEL so my question is if I create it manually will be SSL 3.0 disabled? I haven't tested it so I'm asking first.

Thanks.
Back to top
Daf  
#3 Posted : Monday, October 20, 2014 12:12:15 PM(UTC)
Daf


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/5/2011(UTC)
Posts: 60
Location: UK

Thanks: 6 times
Was thanked: 3 time(s) in 3 post(s)
I have made this change on Windows without IIS, and the changes outlined above worked for me. I also needed to disable the 2.0 branch as well.
Back to top
thanks 1 user thanked Daf for this useful post.
MyKE on 10/20/2014(UTC)
MyKE  
#4 Posted : Monday, October 20, 2014 12:31:39 PM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 5 time(s) in 3 post(s)
Sorry, my bad. I made mistake I was in another key folder instead of SecurityProviders. Thank you it works without IIS as Daf says.
Back to top
sjswarts  
#5 Posted : Monday, December 8, 2014 2:33:47 PM(UTC)
sjswarts


Rank: Member

Joined: 10/21/2014(UTC)
Posts: 23
Australia
Location: Perth

Thanks: 14 times
This was very helpful, thank you for spending the time to make it.

I did however find that following this - https://raymii.org/s/tut...L_Security_On_nginx.html - also hardened my server more.

Please use at your own discretion.

Edited by user Monday, December 8, 2014 2:37:04 PM(UTC)  | Reason: Not specified

regards,

Steven Swarts
TechCare

https://www.techcare.net.au
Back to top
WWW
ditkar  
#6 Posted : Wednesday, January 31, 2018 3:07:11 PM(UTC)
ditkar


Rank: Advanced Member

Joined: 7/9/2014(UTC)
Posts: 88
Man
United States

Thanks: 8 times
I tried the same steps per Paul but as soon as I add the SSL 3.0 branch with DWORD = 0 and reboot, I no longer can access the SC website. Hence I cannot run the scan using ssllabs website.
Any idea?
Back to top
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2020, Yet Another Forum.NET