Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: isa3~1.htm

ISA Server - three security vulnerabilities



COMMAND

    ISA Server

SYSTEMS AFFECTED

    ISA Server

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-045.
    This bulletin  discusses three  security vulnerabilities  that are
    unrelated except in the sense that both affect ISA Server 2000:
    - A denial of service vulnerability involving the H.323 Gatekeeper
      Service,   a   service   that   supports   the  transmission  of
      voice-over-IP  traffic  through   the  firewall.   The   service
      contains a memory  leak that is  triggered by a  particular type
      of malformed H.323 data.   Each time such data is  received, the
      memory available on the server is depleted by a small amount; if
      an attacker repeatedly  sent such data,  the performance of  the
      server could deteriorate to the point where it would effectively
      disrupt  all  communications  across  the  firewall.   A  server
      administrator could restore normal service by cycling the  H.323
      service.

      The  vulnerability  could  only   be  exploited  if  the   H.323
      Gatekeeper  Service  was  installed.   It  is  only installed by
      default  if   "Full  Installation"   is  chosen;   if   "Typical
      Installation"  is   selected,  it   is  not   installed.     The
      vulnerability  would  not  enable   an  attacker  to  gain   any
      privileges  on  an  affected  server  or  add  any traffic to an
      existing  voice-over-IP  session.   It  is  strictly a denial of
      service vulnerability.

    - A denial of service  vulnerability in the in the  Proxy service.
      Like the  vulnerability above,  this one  is caused  by a memory
      leak, and could be used to degrade the performance of the server
      to the point where is disrupted communcations.

      The vulnerability could only  be exploited by an  internal user;
      it  could  not  be  exploited   by  an  Internet  user.      The
      vulnerability  would  not  enable   an  attacker  to  gain   any
      privileges  on  an  affected  server  or  compromise  any cached
      content  on  the  server.   It  is  strictly a denial of service
      vulnerability.

    - A  cross-site scripting  vulnerability affecting  the error page
      that ISA Server 2000 generates  in response to a failed  request
      for a web page.  An attacker could exploit the vulnerability  by
      tricking a user into submitting  to ISA Server 2000 an  URL that
      has the  following characteristics:  (a) it  references a  valid
      web site; (b)it requests a  page within that site that  can't be
      retrieved - that is, a  non-existent page or one that  generates
      an error; and (c) it contains script within the URL.  The  error
      page generated  by ISA  Server 2000  would contain  the embedded
      script commands, which would execute when the page was displayed
      in the  user's browser.   The script  would run  in the security
      domain of the web site referenced in the URL, and would be  able
      to  access  any  cookies  that  site  has  written to the user's
      machine.

      In order to run script in the security domain of a trusted site,
      the attacker  would need  to know  which sites,  if any,  a user
      trusted.  Most users use  the default security settings for  all
      web sites, which would effectively deny an attacker any gain  in
      exploiting  the  vulnerability  for  the  purposes  of   running
      script.  An attacker who wished to read other sites' cookies  on
      a  user's  machine  would  have  no  way to know which sites had
      placed cookies there.   The attacker would  need to exploit  the
      vulnerability once for every  web site whose cookies  she wished
      to access.  Even if  the attacker correctly guessed which  sites
      had  placed  cookies  on  a  user's  machine, there should be no
      sensitive information  in the  cookies, if  best practices  have
      been followed.

    Acknowledgment  goes  to  Peter  Grundl  for  reporting the memory
    leaks in the  H.323 Gatekeeper Service  and the Proxy  Service and
    Dr.  Hiromitsu  Takagi  for  reporting  the  cross-site  scripting
    vulnerability.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-045.asp

    for information on obtaining this patch.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH