Title

Microsoft Internet Information Services Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability in Microsoft Internet Information Services. To exploit this vulnerability, an attacker would create and send a malicious HTTP request. If successfully exploited, this vulnerability would allow an attacker to perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. IIS Authentication Memory Corruption Vulnerability - (CVE-2010-1256): A remote code execution vulnerability exists in the way that the IIS server processes authentication attempts when Extended Protection for Authentication is not enabled on the client, but is enabled on the server. An attacker could exploit this vulnerability by creating a specially crafted HTTP request. The vulnerability is due to improper parsing of authentication information. An attacker who successfully exploited this vulnerability could execute code in the context of the Worker Process Identity (WPI).

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-040 (982666). Vulnerable Applications/Systems: Windows Server 2003 SP 2 (x86, x64 and Itanium) Internet Information Services 6.0[1] Windows Vista SP 1 and SP 2 (x86 and x64) Internet Information Services 7.0[1] Windows Server 2008 and Windows Server 2008 SP 2 (x86*, x64* and Itanium) Internet Information Services 7.0[1] Windows 7 (x86 and x64) Internet Information Services 7.5 Windows Server 2008 R2 (x64* and Itanium) Internet Information Services 7.5 *Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. [1]This operating system is only affected when Extended Protection for Authentication has been installed. See Microsoft Knowledge Base Article 973917. For more information, see the entry in Frequently Asked Questions (FAQ) Related to This Security Update. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. Http.sys Windows 2003 SP2 5.2.3790.4693 Windows Vista SP1 / 2008 6.0.6001.18428 or 22675 Windows Vista SP2 / 2008 SP2 6.0.6002.18210 or 22388 Authsspi.dll Windows 7 / 2008 R2 7.5.7600.16576 or 20694

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-24366

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.