Microsoft vulnerability updates can cause communication failures in Dell Encryption

Affected Products:

• Dell Encryption
• Dell Data Protection | Encryption

With Microsoft sending out security updates to address vulnerabilities, we have seen these updates affect Dell Encryption communication. In environments where Diffie-Hellman Export (DHE) cipher suites are allowed on the Dell Security Management Server (formerly Dell Data Protection | Enterprise Edition) server, the following behavior may be seen after installing Microsoft updates:

In this example, activations were failing. In the shield log, there were the following messages:

[07.08.16 11:54:38:824 CredantServerIn: 211] [ERROR] SSL request failed.. HTTP error An error occurred in the secure channel support [MS ec=12157].
[07.08.16 11:54:38:824 CredantServerIn: 211] [ERROR] HTTP error. HTTP error A security error occurred [MS ec=12175].

And

[07.08.16 11:54:38:864 XmlRpcActivate: 128] Activating user...
[07.08.16 11:54:38:924 XmlRpcActivate: 415] SSL Failure status code. HTTP error(-2147483648) -
[07.08.16 11:54:38:934 XmlRpcActivate: 415] SSL request failed.. HTTP error(12157) - An error occurred in the secure channel support
[07.08.16 11:54:38:934 XmlRpcActivate: 415] HTTP error. HTTP error(12175) - A security error occurred
[07.08.16 11:54:38:934 XmlRpcActivate: 148] Activation request failed [code:0x2f8f]:
[07.08.16 11:54:38:934 Activator: 709] [SUPPORT] [W] Activation - Unable to activate new user XXXXXXX [error = 0x2f8f]
[07.08.16 11:54:38:934 Activator: 711] Activation - Verify that the CMG Shield is properly installed.
[07.08.16 11:54:38:934 Activator: 716] Activation - Verify network connectivity to the CMG Server at "XXXXXXX" and CMG Device Server at
[07.08.16 11:54:38:934 ] - Device Server Connection error (12175)

The endpoint can ping the server, and successfully telnet to the port. Even some browsers such as Chrome can get to the website, while IE cannot.

Entries exist in the Windows System event logs for the SChannel component:

<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="Schannel" Guid="{XXXXXXXXXX }" />
<EventID>36888</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="XXXXXXXXXXXXX" />
<EventRecordID>19178</EventRecordID>
<Correlation />
<Execution ProcessID="764" ThreadID="744" />
<Channel>System</Channel>
<Computer>XXXXXXXXXXXXXXX.com</Computer>
<Security UserID="XXXXXXXX" />
</System>

- <EventData>

<Data Name="AlertDesc">40</Data>
<Data Name="ErrorState">808</Data>
</EventData>
</Event>

If these behaviors are seen, check what Microsoft updates have been applied to the endpoint. Two updates that have seen to cause issues are:

• Microsoft security update MS15-055/KB3061518
• Microsoft Security update KB3161608

One of the updates changes the minimum DHE key length from 512-bit to 1024 bit on the endpoint. By default, the Dell Security Management Server allows the use of 768-bit DHE groups causing the SSL or TLS handshake to fail after these updates have been applied. To revert the endpoint to allow the use of a minimum 512-bit DHE key length, you must update the registry on the endpoint. Locate the following subkey in the registry:

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
2. Then add DWord ClientMinKeyBitLength and set the value to 00000200.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.