Re: MS04-11, SSL, and ISA Server

From: Ondøej Holas (OHolas_at_EXCH.DIGI-TRADE.CZ)
Date: 04/30/04

  • Next message: Russ: "Alert: W32/Sasser spreading widely"
    Date:         Fri, 30 Apr 2004 20:37:25 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ISA Server uses schannel.dll to work with SSL so it is also vulnerable. Note that there are generally two scenarios how to publish HTTPS server using ISA Server - via either server publishing rule (=portforwarding) or web publishing rule. In the first scenario ISA does not do SSL cipher negotiation and thus ISA is not vulnerable itself. In the second scenario ISA needs to terminate SSL channel so there's IMO relatively high risk without MS04-011 applied (if exploited, W3PROXY.EXE runs with LocalSystem privileges).

    Regards,

    Ondrej Holas
    DIGI TRADE
    Prague, Czech rep.

    -----Original Message-----
    From: Windows NTBugtraq Mailing List [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Kim, Cameron
    Sent: Thursday, April 29, 2004 3:12 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: MS04-11, SSL, and ISA Server

    Can this DoS be performed against an ISA server which proxies the SSL connections? Most of the reports and comments have mentioned the fact that DoS can be performed against IIS servers using SSL connections. But I am not sure if the ISA Server 2000 web proxy actually uses the Microsoft SSL Library. One would suppose so...

    Cameron Kim
    Mitsubishi Digital Electronics America

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----


  • Next message: Russ: "Alert: W32/Sasser spreading widely"