question

TonyTullio-5700 avatar image
0 Votes"
TonyTullio-5700 asked azure-cxp-api edited

Azure Web App identified target web site is using IIS and detected that it is out of date - how to change

A security scan of a web app running windows has been identified as a High vulnerability. Since this is an old version of the software, it may be vulnerable to attacks. When the Server: Microsoft-IIS/10.0

External References: https://nvd.nist.gov/vuln/detail/CVE-1999-0229
Internet Information Services Other Vulnerability
IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page.
Affected Versions: 10.0
External Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2000-0115


How can we do the following to fix this issue when using Azure web app?

Remedy
Upgrading IIS to a higher version is not a standalone operation. The IIS version depends heavily on the Windows OS version that
you use on your server machine.
If it is not possible to upgrade IIS to a higher version for this type of reason, we strongly recommend that you track and apply the
patches that are published by the vendor.
Please note that all updates and patches for IIS come as Windows Updates. Also, you can select which update package(s) will be
applied.

azure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TonyTullio-5700,

Did you get this message from Azure Security Center? It's very odd that this error message would be received for a deployed PaaS app service. Can you further elaborate on where you saw message and how your app is deployed into Azure?

Regards,
Ryan

0 Votes 0 ·
TonyTullio-5700 avatar image
0 Votes"
TonyTullio-5700 answered

Please see the attached for the 3rd party vulnerability scan:

89556-livingdonorportalcom-detailed-scan-report-002.pdf






Request
GET https://www.livingdonorportal.com/portal-admin/patient-directory HTTP/1.1 (FYI this url is currently not open to the public until we sort out this issue)
Origin: https://www.livingdonorportal.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.39
45.0 Safari/537.36
Sec-Fetch-User: ?1
Referer: https://www.livingdonorportal.com/
Cookie: ASP.NET_SessionId=cdf3zhoktpielz0ryxc2pfh2; CMSPreferredCulture=en-CA; .ASPXFORMSAUTH=CBE516
990AC28B452DAF630AF543B266894ACEC68F4F7FC2205721DF47EBF9D73EC250EE263503C4FD1D34DB4C4C4BB557ED69A2D1
7964FEA07F0535331455F11094F1BD4751A7CABFC1A017612F427C8C13A174FB4F86C9BE27134E827CC370C2E4AE55861436
2A524E0C168509CE39DEEB587924C9BE825DC8D617EA6E57AF; CMSPreferredUICulture=en-US; CMSViewMode=0
Response
Response Time (ms) : 0 Total Bytes Received : 64668 Body Length : 64340 Is Compressed : No
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-UA-Compatible: IE=Edge
X-Frame-Options: SAMEORIGIN
Date: Tue, 30 Mar 2021 20:57:46 GMT
Cache-Control: private, no-store, must-revalidate
content-type: text/html; charset=utf-8
content-HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-UA-Compatible: IE=Edge
X-Frame-Options: SAMEORIGIN
Date: Tue, 30 Mar 2021 20:57:46 GMT
Cache-Control: private, no-store


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ryanchill avatar image
0 Votes"
ryanchill answered

Hi @TonyTullio-5700,

I saw that you've opened a support case. I will tell you that upgrading IIS on a Windows hosted platform is not possible from the consumer standpoint. It is something that is controlled with platform rollouts. You can alternatively, run your website in VM and be in control of updating the OS and feature software.

However, this vulnerability; I believe, is a false positive being raised because IIS/10.0 is identifiable in the HTTP header. That can theoretically lead to malicious intent; however, I'm not certain how someone could use that to their advantage.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.