Three IIS Flaws Allow Authentication Bypass, DoS, or Code Execution

Summary:

• This vulnerability affects: IIS 5.1, 6.0, 7.0 and 7.5
• How an attacker exploits it: By sending specially crafted HTTP requests or URLs
• Impact: In the worst case, an attacker can gain complete control of your IIS server
• What to do: Install Microsoft’s IIS update immediately, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes three vulnerabilities affecting IIS. The worst is a buffer overflow vulnerability involving the way IIS handles FastCGI enabled requests. By sending you IIS server a specially crafted HTTP request, an attacker could exploit this vulnerability to gain complete control of your IIS server. This flaw sounds quite bad, however a key mitigating factor limits its severity. FastCGI is not enabled by default on IIS server. You are only vulnerable to this flaw if you’ve specifically enabled it.

The two remaining flaws include a Denial of Service flaw that an attacker could leverage to crash your IIS server and an authentication bypass vulnerability that attackers could leverage to gain access to web resources that require authentication.

Though Microsoft only rates these flaws as Important, we recommend IIS administrator download, test and install the IIS update immediately.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

• IIS 5.1 (XP)
• IIS 6.0
  • Windows XP
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
• IIS 7.0
  • Windows Vista
  • Windows Vista x64
  • Window Server 2008
  • Window Server 2008 x64
  • Window Server 2008 Itanium
• IIS 7.5
  • Windows 7
  • Windows 7 x64
  • Window Server 2008 R2 x64
  • Window Server 2008 R2 Itanium
• IIS FastCGI Update:
  • Windows 7
  • Windows 7 x64
  • Window Server 2008 R2 x64
  • Window Server 2008 R2 Itanium
• IIS 5.1 Authentication Update (XP)

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

• Microsoft Security Bulletin MS10-65

This alert was researched and written by Corey Nachreiner, CISSP.