False negative for 3174644: Diffie-Hellman Key Size?

JasonWalker · May 19, 2017, 3:09pm

I think there may be a false-negative on Fixlet 317464401 in “Patches for Windows”. The Diffie-Hellman Key Exchange updates for Windows Vista through 2012r2 have been superseded & replaced several times, but the superseding packages do not apply the registry edit to change the minimum Diffie-Hellman Key Exchange sizes as this fixlet does.

I have this Fixlet in one of my patch baselines, to configure a minimum key size of 2048 bits, but I’ve been finding through an audit that the registry edit was not applied on a number of my systems. They are returning false on Relevance 4 :

exists keys ("Package_for_KB3174644~31bf3856ad364e35~x86~~6.0.1.0"; "Package_for_KB3174644~31bf3856ad364e35~amd64~~6.0.1.0"; "Package_for_KB3175024~31bf3856ad364e35~x86~~6.1.2.0"; "Package_for_KB3175024~31bf3856ad364e35~amd64~~6.1.2.0"; "Package_for_KB3174644~31bf3856ad364e35~x86~~6.3.1.1"; "Package_for_KB3174644~31bf3856ad364e35~amd64~~6.3.1.1") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry

According to the Fixlet description for KB3174644 “Note: This patch has been partially superseded by KB3198510”. The Relevance is checking for either 3174644 or 3175024 installed.

Per http://www.catalog.update.microsoft.com/Search.aspx?q=3174644 , 3174644 only has downloads for Visa, 2008, 8.1, 2012, and 2012r2 (no Win7 or 2008r2 so I guess that’s changed)

http://www.catalog.update.microsoft.com/Search.aspx?q=3175024 has downloads for Win Vista through 2012r2. The package details for 2008r2 shows this has been replaced by the 2017-05 Rollup Packages (KB4019264, KB4019263, or KB4015549 depending on your preferred rollup flavor)

Checking my 2008r2 host showing a False for the Relevance 4, I do have KB4015549 installed.

I think that either the fixlet for 3174644 needs to have the relevance changed to include each monthly rollup package, or refactored to not depend on the individual KB packages and instead maybe look at file versions. This is likely to be a problem in several other fixlets as the monthly rollups replace earlier packages. I don’t know which files are replaced by these KBs, but I’d bet schannel.dll is one of them.

JasonWalker · May 19, 2017, 4:45pm

Checking for three of the KBs associated -
https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exchange

https://support.microsoft.com/en-us/help/3198510/ms16-137-description-of-the-security-update-for-windows-authentication-methods-november-8,-2016

https://support.microsoft.com/en-us/help/3175024/ms16-111-description-of-the-security-update-for-windows-kernel-september-13,-2016

I think I can handle the case with this relevance to examine schannel.dll. I don’t have all of the affected operating systems though. Can anyone with Vista, Windows 8, or 2012 check this and comment?
if version of operating system < version "10" then exists file "schannel.dll" whose (version of it >= (version ("6.0.6002.19678";"6.1.7601.23539";"6.2.9200.21954";"6.3.9600.18454")) whose (major revision of it = major revision of version of operating system and minor revision of it = minor revision of version of operating system)) of native system folder else true