UPDATE: Microsoft released a FIX resolving this SSL vulnerability in our software !

MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015

https://support.microsoft.com/kb/3046049

Hi all,

 

Here is a note about the impact of FREAK (Factoring attack on RSA-EXPORT Key - CVE-2015-0204) vulnerability on Exchange (Microsoft Security Advisory 3046015 - Vulnerability in Schannel Could Allow Security Feature Bypass)

As a reminder, this vulnerability is not specific to Windows OS, it’s a general SChannel vulnerability that could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. In other words, this enables the switch of cipher algorithm from a strong one to a weaker one using RSA key exchange export, and the hacker can then intercept and decode the SSL traffic.

This vulnerability is not Exchange specific but OS specific, and since the security of Exchange relies heavily upon the security of its dependencies like the OS, anything that impacts the security of the OS that Exchange is in impacts also Exchange. That’s why you won’t see any Exchange specific guidance on this.

 

UPDATE ==> See the link to the fix above – prior to that the guidance was to follow the mitigation actions described in the above mentioned article (https://technet.microsoft.com/library/security/3046015), which was to disable the RSA key exchange ciphers on the SSL configuration settings using GPOs - note that this workaround works on Windows Vista and later – now we have a fix !