Title

Multiple Vulnerabilities in Microsoft Internet Information Services (IIS) (Cat I impact)

Discussion

Microsoft has released a security bulletin addressing vulnerabilities in Microsoft Internet Information Server (IIS). IIS is Microsofts web server application that provides users with the ability to display information on the web for others to view. To exploit these vulnerabilities, an attacker would send malicious URL requests to an active server pages on a web page hosted by IIS, sending malicious HTTP requests to IIS servers with FastCGI enabled or send a malicious URL to bypass directory-based basic authentication. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service, buffer overflow or bypass access restricted resources and compromise the affected system. At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. IIS Repeated Parameter Request Denial of Service Vulnerability - (CVE-2010-1899) A denial of service vulnerability exists in Internet Information Services (IIS) that could allow an attacker who successfully exploited this vulnerability to interrupt service, causing the server to become un-responsive. An attacker could exploit the vulnerability by sending specially crafted URL requests to active server pages on a Web site hosted by IIS. This denial of service vulnerability is caused by a stack overflow in the ASP script processing code. Request Header Buffer Overflow Vulnerability - (CVE-2010-2730) A remote code execution vulnerability exists in Internet Information Services (IIS) that an attacker could exploit by sending specially crafted HTTP requests to IIS servers with FastCGI enabled. This vulnerability is caused by the way that IIS servers with FastCGI enabled handle request headers. Directory Authentication Bypass Vulnerability - (CVE-2010-2731) An elevation of privilege vulnerability exists in Internet Information Services (IIS). An attacker who successfully exploited this vulnerability could bypass the need to authenticate to access restricted resources. This vulnerability is caused by the way that IIS parses specially crafted URLs.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-065 (2267960). Vulnerable Applications/Systems: Microsoft Internet Information Services 5.1: Windows XP SP3 Microsoft Internet Information Services 6.0: Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64 and Itanium) Microsoft Internet Information Services 7.0: Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64* and Itanium) Microsoft Internet Information Services 7.5: Windows 7 (x86 and x64) Windows Server 2008 R2 (x64* and Itanium) *Server Core installation not affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. IIS ASP (2124261) Asp51.dll Windows XP SP3 5.1.2600.6007 Asp.dll Windows XP SP2 x64 6.0.3790.4735 Windows 2003 SP2 6.0.3790.4735 Windows Vista SP1 / 2008 6.0.6001.18497 or 22718 Windows Vista SP2 / 2008 SP2 6.0.6002.18276 or 22431 Windows 7 and 2008 R2 Fixed by SP1 Windows 7 / 2008 R2 7.5.7600.16620 or 20741 IIS Infocomm (2290570) Infocomm.dll Windows XP SP3 6.0.2600.6018 IIS CGI (2271195) Cgi.dll Windows 7 and 2008 R2 Fixed by SP1 Windows 7 / 2008 R2 7.5.7600.16632 or 20752

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-25353

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.