Microsoft Security Bulletin MS01-021 - Critical
Web Request Can Cause Access Violation in ISA Server Web Proxy Service
Published: April 16, 2001 | Updated: June 23, 2003
Originally posted: April 16, 2001
Updated: June 23, 2003
Who should read this bulletin:
System administrators using Microsoft® ISA Server 2000.
Impact of vulnerability:
Denial of service
System administrators who have enabled the ISA Server Web Publishing feature should apply the patch immediately. Administrators who have not enabled the feature should consider applying the patch.
- Microsoft ISA Server 2000
The ISA Server Web Proxy service does not correctly handle a certain type of web request if it exceeds a particular length. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted.
Under most conditions, a user on the Internet could not exploit the vulnerability, as ISA Server will ignore external requests unless the Web Publishing feature is enabled. However, if an external attacker were able to persuade an internal user to visit a web page or open an HTML e-mail, it could be possible to embed an URL that would exploit the vulnerability from within the network.
- Web Publishing is disabled by default.
- The vulnerability would not enable an attacker to breach the security of the firewall - that is, it would not enable the attacker to access protected resources or bypass the firewall. It would only enable the attacker to deny legitimate service to other users.
- The vulnerability would only allow the Web Proxy service to be disrupted. Other ISA services would continue functioning normally.
Vulnerability identifier: CAN-2001-0239
Microsoft tested ISA Server 2000 and Proxy Server 2.0 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.
Frequently asked questions
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable an attacker to disrupt an ISA server, thereby preventing any web traffic from passing through the firewall in either direction. An attacker inside the firewall could exploit the vulnerability under any conditions; an attacker outside the firewall could exploit it only if the Web Publishing feature were enabled, or she were able to convince an internal user to open web content of her choosing.
The vulnerability would not allow the attacker to usurp any administrative control over the firewall, nor would it enable an attacker to breach the security of the firewall. Also, the vulnerability would only provide a way to disrupt the web proxy service - other services would remain in operation. The web proxy service could be restored by restarting it.
What causes the vulnerability?
The vulnerability results because the Web Proxy service in ISA Server doesn't correctly handle particular type of request for web resources, if it exceeds a particular length. If such a request were received, the Web Proxy service would fail with an access violation.
What is ISA Server?
Internet Security and Acceleration (ISA) Server provides both an enterprise firewall and a high-performance web cache. The firewall protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The web cache helps improve network performance by storing local copies of frequently-requested web content.
What is the Web Proxy service?
The Web Proxy service enables web requests to be made via the firewall. When an internal user needs to access an external web site, the firewall makes the request on her behalf, and provides the content to her when it's received. This improves security in two ways: it allows the network administrator to regulate which sites users can visit, and masks users' internal network addresses when they access web sites.
The Web Proxy also can be configured to provide a "reverse proxy" service. This is done via the Web Publishing feature which, if enabled, allows external users to access internal web sites without exposing the actual address of the sites. By default, the Web Publishing feature is disabled.
What's wrong with the Web Proxy service?
It doesn't correctly handle a particular type of request for web resources if it exceeds a certain length. If such a request were received, it would cause an access violation that would result in the failure of the Web Proxy service.
Who could levy such a request?
As long as the web proxy service is running (and it runs by default), any internal user could levy the type of request at issue here. If the Web Publishing feature were enabled, an external user could levy such a request.
Is there any other way for an external user to exploit the vulnerability?
If an external attacker were able to entice or persuade an internal user into visiting a web page or opening an HTML e-mail, it could be possible for her to exploit the vulnerability even if the Web Publishing feature were disabled. The web page or HTML e-mail could contain a request of the type described above, and because it would originate from within the network, it could exploit the vulnerability even if Web Publishing were disabled.
What could an attacker do via this vulnerability?
An attacker could use this vulnerability to disrupt the Web Proxy service. By sending a web request of the type discussed above, she could cause the service to fail, thereby preventing the firewall from passing any web requests, in either direction.
How could normal service be restored?
The administrator could restore normal service by restarting the Web Proxy service. It would not be necessary to reboot the server.
How great a threat does this vulnerability pose?
It depends on whether the Web Publishing feature is enabled. By default, it's disabled, and an attacker would need to be located within the network to exploit the vulnerability. However, if it were enabled, any Internet user could exploit it. Clearly, the latter case would pose a much greater threat.
Could an attacker use the vulnerability to take control of the ISA server?
No. This is a denial of service attack only. There is no capability to usurp any administrative privileges.
Could an attacker use the vulnerability to breach the security of the firewall?
No. There is no capability to use this vulnerability to lower the security the firewall provides. It can only be used to prevent the Web Proxy service from passing any data at all.
What does the patch do?
The patch eliminates the vulnerability by causing the Web Proxy service to correctly treat the request at issue as invalid.
Download locations for this patch
Microsoft ISA Server 2000:
Note: This patch has been superseded by the one provided in Microsoft Security Bulletin MS01-045.
Additional information about this patch
This patch can be installed on systems running ISA Server 2000 Gold.
Inclusion in future service packs:
The fix for this issue will be included in ISA Server 2000 Service Pack 1.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FPC\Hofixes\63.
- To verify the individual files, use the date/time and version information provided in Knowledge Base article Q295279
This patch can be installed on any language version of ISA Server 2000.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches are also available from the WindowsUpdate web site
Microsoft thanks Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and Kent Nicolson of FSC Internet Corp. / SecureXpert Labs (http://www.fscinternet.com for reporting this issue to us and working with us to protect customers.
- Microsoft Knowledge Base article Q295279 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (April 16, 2001): Bulletin Created.
- V1.1 (April 17, 2001): Bulletin updated to address the possibility that an external attacker could exploit the vulnerability via a web page or HTML e-mail.
- V1.2 (August 21, 2001): Patch Availability section updated to advise that the patch provided here has been superseded.
- V1.3 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00