IIS 6 vunerability - has MSFT fixed this yet?
James
I received an inquiry by our security team today saying that a standard scan
of our servers reported that one of our IIS servers (that is running IIS 6)
triggered a warning of a potential vunerability: CVE-2007-2897.
The text we were given for the vunerability was:
---
"Microsoft Internet Information Server (IIS) is an industry-standard Web
server for the Windows platform.
Microsoft Internet Information Services contains a vulnerability that may
allow for remote denial-of-service attacks. A specially crafted
request sent to the server may render it unresponsive."
---
This CVE appears to have originated in 2007, our servers are fully patched.
Can anyone confirm if this vunerability has been taken care of, and if so,
in what update / patch from MS?
Thanks in advance!
James
Paul Baker [MVP, Windows Desktop Experience]
I see that it is from May 2007:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2897
It is still under review. That seems like a long time to review it! The
steps given are simple and just need to be run against an IIS 6 server.
I cannot reproduce a two second delay on an IIS server here (not sure which
version) when I type http://<blah>/AUX/.aspx into the Internet Explorer 7
address bar.
According to this page, there is no remedy as of May 23, 2009.
http://xforce.iss.net/xforce/xfdb/34418
But is it really a problem? Who knows!
Paul
"James" <j DOT w AT zoom DOT co DOT uk> wrote in message
news:u9Bsrq73...@TK2MSFTNGP04.phx.gbl...
James
Thanks so much for your reply, and help. I also tried to reproduce it and
did not receive any delay in my response. I find it hard to beleive that
this is still a problem after such a long period of time.
If anyone else has any insights on this it would be appreciated.
Thanks again Paul!!
James
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrich...@community.nospam> wrote in message
news:uyYB6383...@TK2MSFTNGP05.phx.gbl...
David Wang
you manage, but only one of them came up with this warning?
I believe it indicates a misconfiguration of that server relative to
your other IIS6 servers.
Microsoft takes every security vulnerability report seriously and
immediately determines its true impact. Some people believe that all
vulnerabilitiies must be reported and closed, regardless of cost, but
that is not realistic.
Every vulnerability has a risk/cost assessment. If a vulnerability is
truly important, it would be patched immediately.
For example, people report lots of "vulnerabilities" in IIS which
require special code on and/or configuration of IIS to exploit. Yes,
the exploit may be real, but how realistic is the special code and/or
configuration? Those are factors that weigh into the immediacy and
necessity of a security patch.
Thus, if the issue is patched and you patched all IIS6 servers the
same way, then getting a warning about one of them makes me suspicious
of the security scanner.
If the issue has no patch and one of the servers is deemed
"vulnerable", then it suggests that the server has special user code/
configuration which makes it vulnerable. You should look at your code/
configuration of it.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On May 28, 1:13 pm, "James" <j DOT w AT zoom DOT co DOT uk> wrote:
> Hi Paul,
>
> Thanks so much for your reply, and help. I also tried to reproduce it and
> did not receive any delay in my response. I find it hard to beleive that
> this is still a problem after such a long period of time.
>
> If anyone else has any insights on this it would be appreciated.
>
> Thanks again Paul!!
> James
>
> "Paul Baker [MVP, Windows Desktop Experience]"<paulrichardba...@community.nospam> wrote in message
> >> James- Hide quoted text -
>
> - Show quoted text -
Paul Baker [MVP, Windows Desktop Experience]
Thank you for your practical steps. There is always going to be some
speculation and unknowns until we see an official response from Microsoft. I
have used a private newsgroup to ask for one. That was on Friday afternoon.
Paul
"David Wang" <w3....@gmail.com> wrote in message
news:bff7f331-5926-4918...@o30g2000vbc.googlegroups.com...
Paul Baker [MVP, Windows Desktop Experience]
Below is the information I got from the Microsoft Security Response Center
(MSRC).
Is there a difference in the version of ASP.NET installed on the servers
that explains the security vulnerability report in light of this
information?
"Non vulnerability in II 6.0/ASP.NET
. Microsoft has completed the investigation into the public proof of concept
code that claims to demonstrate a vulnerability in IIS 6.0. Our
investigation has found that the claims are incorrect and that the proof of
concept code does not take advantage of a vulnerability in IIS 6.0.
. Additionally, the code in question incorrectly claims to use IIS 6.0. Our
investigation has shown the code in question actually uses ASP.NET. Our
investigation has shown that the code has no impact against systems running
ASP.NET 2.0. Systems running ASP.NET 1.1 may experience a temporary
disruption when receiving a large volume of concurrent requests containing
this code. However, as soon as the requests are no longer submitted, the
system returns to normal operation.
. Microsoft continues to encourage responsible disclosure of vulnerabilities
to minimize risk to computer users. Microsoft supports the commonly accepted
practice of reporting vulnerabilities directly to a vendor, which serves
everyone's best interests. This practice helps to ensure that customers
receive comprehensive, high-quality updates for security vulnerabilities
without exposure to malicious attackers while the update is being
developed."
Paul.
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrich...@community.nospam> wrote in message
news:eq0YC7s4...@TK2MSFTNGP05.phx.gbl...