The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION PUBLICATIONS SUBSCRIPTION CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Articles by Cert-IST Useful links In the Press - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories WebDAV vulnerabilities on IIS (MS09-020) Reference: CERT-IST/AV-2009.204 Version: 2.0 Version date: 10 June 2009 Vulnerability Classification Risk: high Impact: Integrity Confidentiality Confidence: Vendor-acknowledged Attack expertise: Skilled Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP SP2 and SP3 Windows XP Professional x64 Edition SP2 Microsoft Windows Server 2003 Sp2 Microsoft Windows Server 2003 x64 Edition Sp2 Microsoft Windows Server 2003 (Itanium) Sp2 Affected Software(s): Microsoft Internet Information Server (IIS) 5.0, 5.1 and 6.0 Remarks: The WebDAV feature is not enabled by default on IIS 6.0. IIS 7 (shipped with Windows Vista and Windows Server 2008) with WebDAV is not affected by this vulnerability. Description Publication context:  [Version 2.0]: This advisory has been re-issued on June 10th 2009 following the release of the Microsoft security bulletin MS09-020 which fixes these vulnerabilities.  This vulnerability follows the discovery of a 0-day vulnerability, that has been described in the CERT-IST/DG-2009.006 Potential Danger on May 18, 2009. It also had the FA-2009.088 reference in the Cert-IST list of Flaws under investigation. Problem description: Several vulnerabilities have been discovered in the Internet Information Server (IIS) 5.0, 5.1 and 6.0 web server when the WebDAV feature is enabled. They allow a malicious person to remotely bypass access restrictions on vulnerable IIS installations.  Note: An exploit for the CVE-2009-1535 vulnerability has been released on Internet.  The CVE-2009-1535 vulnerability is also known as CVE-2009-1676. Technical context: The WebDAV (World Wide Web Distributed Authoring and Versioning) protocol is a set of HTTP extensions that enables users to remotely manage web servers. Technical information: The IIS web server fails to properly handle specially crafted tokens when parsing the URI in an HTTP request. This allows a remote attacker, through a specially crafted HTTP request: to bypass authentication of password protected folders, even if this folder is not a WebDAV folder, to list, download, upload, modify or delete files into a password protected WebDAV folder. Note: the vulnerabilities cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_[computername] account. Solution 01 - Apply the Microsoft patches (KB970483) regarding the IIS vulnerabilities Patches are available for the various affected platforms. See the Microsoft security bulletin MS09-020 to get the appropriate patch. Microsoft security bulletin MS09-020 dated June 9, 2009 http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx 02 - Workarounds regarding the IIS vulnerability If WebDAV is not needed, it should be disabled. It is the case by default on IIS 6. However, some discussions on various forums report that disabling WebDAV when Microsoft SharePoint (WSS) is used is not easy. Restrict access to vulnerable IIS servers to trusted computers only. Limit access to resources through WebDAV for the anonymous user account. Filter incoming HTTP requests when the URI contains unicode characters and when the HTTP headers contain the field "Translate: f". This can be achieved thanks to the IIS Lockdown Wizard and the URLscan security tool. Finally, filtering the unused WebDAV methods (such as "PROPFIND") may help limiting the exploitation vectors. Standard vulnerability IDs Microsoft: KB970483 CVE: CVE-2009-1535 CVE: CVE-2009-1676 CVE: CVE-2009-1122 CERT/CC: VU#787932 Additional Resources Microsoft security advisory 971492 dated May 18, 2009 http://www.microsoft.com/technet/security/advisory/971492.mspx Microsoft security advisory MS09-020 dated June 9, 2009 http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx SecurityFocus security advisory BID34993 dated May 15, 2009 http://www.securityfocus.com/bid/34993 History Version Comment Date 2.1 Fixed the link to the Microsoft security bulletin 10 June 2009 2.0 Microsoft security bulletin MS09-020: solution and modification of affected software 10 June 2009 1.1 Title and affected software update 19 May 2009 1.0 Advisory creation 19 May 2009

Copyright © 1999-2013 Cert-IST | Legal Notice | Sitemap