[NT] Cumulative Security Update for ISA Server 2000 (MS05-034)

• Previous message: SecuriTeam: "[NT] Cumulative Security Update of Outlook Express (MS05-030)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Jun 2005 15:29:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Cumulative Security Update for ISA Server 2000 (MS05-034)
------------------------------------------------------------------------

SUMMARY

ISA Server 2000 provides "an enterprise firewall and a high-performance
Web cache. The firewall helps protect the network by regulating which
resources can be accessed through the firewall, and under what conditions.
The Web cache helps improve network performance by storing local copies of
frequently-requested Web content. ISA Server can be installed in three
modes: firewall mode, cache mode, and integrated mode. Firewall mode
allows an administrator to secure network communication by configuring
rules that control communication between the corporate network and the
Internet. Cache mode improves network performance by storing
frequently-accessed Web pages on the server. In integrated mode, all cache
and firewall features are available".

Two security vulnerabilities have been discovered in the ISA server, one
allows remote attackers to poison the cache of the ISA server, while the
other allows remote attackers to initiate a NetBIOS connection with the
ISA server.

A vulnerability exists in ISA Server 2000 because of the way that it
handles malformed HTTP requests. An attacker could exploit the
vulnerability by constructing a malicious HTTP request that could
potentially allow an attacker to poison the cache of the affected ISA
server. As a result, the attacker could either bypass content restrictions
and access content that they would normally not have access to or they
could cause users to be directed to unexpected content. Additionally, an
attacker could use this in combination with a separate Cross Site
Scripting vulnerability to obtain sensitive information such as logon
credentials.

An elevation of privilege vulnerability exists in ISA Server 2000 that
allows an attacker who successfully exploited this vulnerability to create
a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all)
predefined packet filter. The attacker would be limited to services that
use the NetBIOS protocol running on the affected ISA Server.

DETAILS

Vulnerable Systems:
 * Microsoft Internet Security and Acceleration (ISA) Server 2000 Service
Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E579813B-0372-45BE-8070-3F4D7D4CB89C> Download the update
Note The following software programs include ISA Server 2000. Customers
who use these software programs should install the provided ISA Server
2000 security update.
 * Microsoft Small Business Server 2000
 * Microsoft Small Business Server 2003 Premium Edition

Immune Systems:
 * Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard
Edition
 * Microsoft Internet Security and Acceleration (ISA) Server 2004
Enterprise Edition

HTTP Content Header Vulnerability:
This is an elevation of privilege vulnerability. An attacker who
successfully exploited this vulnerability could either bypass content
restrictions and access content that they would normally not have access
to or they could cause users to be directed to unexpected content.
Additionally, an attacker could use this in conjunction with a separate
Cross Site Scripting vulnerability to obtain sensitive information such as
logon credentials.

Mitigating Factors for HTTP Content Header Vulnerability - CAN-2005-1215:
 * An attacker would only be able to poison the cache with existing
content from the IP address or domain name of the targeted server
 * Due to the way that caching works, an attacker would need to be able to
submit a malicious request before a valid version of the page is cached
via another method, either user or automatically invoked.
 * ISA Servers that are configured in Firewall Mode are not vulnerable to
this issue.
 * Typical usage of Internet Explorer will not produce malformed HTTP
requests.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted HTTP request packet and sending the packet to an affected ISA
Server.

What systems are primarily at risk from the vulnerability?
ISA Servers that are configured to cache Web requests or to publish Web
servers.

NetBIOS Predefined Filter:
This is an elevation of privilege vulnerability. An attacker who
successfully exploited this vulnerability could connect to services
utilizing the NetBIOS protocol on the affected ISA Server.

Mitigating Factors for NetBIOS Predefined Filter Vulnerability -
CAN-2005-1216:
An ISA administrator would have to enable the NetBIOS (all) predefined
packet filter to allow access to local services that use the NetBIOS
protocol.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could connect to
services on the ISA Server that use the NetBIOS protocol. However, these
connection attempts are subject to the typical security checks that are
employed by the respective services.

Who could exploit the vulnerability?
On ISA Server 2000, any anonymous user who could create a NetBIOS
connection to the affected ISA Server could try to exploit this
vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a NetBIOS
connection with an ISA Server that uses the NetBIOS (all) predefined
packet filter. The attacker would be limited to services by using the
NetBIOS protocol running on the affected ISA Server.

What systems are primarily at risk from the vulnerability?
ISA Servers that have been configured to allow inbound NetBIOS traffic by
using the NetBIOS (all) predefined packet filter are primarily at risk
from this vulnerability.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1215>
CAN-2005-1215
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1216>
CAN-2005-1216

ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Cumulative Security Update of Outlook Express (MS05-030)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]