From labs@idefense.com Wed Apr 9 16:24:28 2003 From: iDEFENSE Labs To: vulnwatch@vulnwatch.org Date: Wed, 9 Apr 2003 15:49:14 -0400 Subject: [VulnWatch] iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration (ISA) S -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 04.09.03: http://www.idefense.com/advisory/04.09.03.txt Denial of Service in Microsoft Proxy Server 2.0 and Internet Security and Acceleration Server 2000 April 9, 2003 I. BACKGROUND Microsoft Corp.'s Internet Security and Acceleration Server (ISA) Server integrates an extensible, multi-layer enterprise firewall and a scalable high-performance web cache. It builds on Microsoft Windows 2000 security and directory for policy-based security, acceleration and management of internetworking. More information is available at http://www.microsoft.com/isaserver/ . MS Proxy 2.0 is the predecessor to ISA Server, more information is available at http://www.microsoft.com/isaserver/evaluation/previousversions/default.asp . II. DESCRIPTION A vulnerability exists in ISA Server and MS Proxy 2.0 that allows attackers to cause a denial-of-service condition by spoofing a specially crafted packet to the target system. Another impact of this vulnerability is the capability of a remote attacker to generate an infinite packet storm between two unpatched systems implementing ISA Server or MS Proxy 2.0 over the Internet. Both ISA Server and MS Proxy 2.0, by default, install a WinSock Proxy (WSP) service wspsrv.exe, designed for testing and diagnostic purposes. The WSP service creates a User Datagram Protocol socket bound to port 1745. A specially crafted packet can cause WSP to generate a continuous flood of requests and reply requirements. III. ANALYSIS In the case of the attack scenario for an internal LAN attacker causing a denial of service, this malformed packet must meet the following criteria: * The source and destination IP are the same as the ISA Server. * The source and destination port is 1745. * The data field is specially crafted and resembles the request format. An attacker with access to the LAN can anonymously generate a specially crafted UDP packet that will cause the target ISA Server to fall into a continuous loop of processing request and reply packets. This will cause the ISA Server to consume 100 percent of the underlying system's CPU usage. It will continue to do so until the system reboots or the WinSock Proxy (WSP) service restarts. In the case of the attack scenario of a remote attacker causing a packet storm between two systems running ISA Server or MS Proxy 2.0, the malformed packet must meet the following criteria: * The source IP is one of the targets * The destination IP is the other target * The source and destination port is 1745. * The data field is specially crafted and resembles the request format. IV. DETECTION iDEFENSE has verified that Microsoft ISA Server 2000 and MS Proxy 2.0 are both vulnerable to the same malformed packet characteristics described above. Wspsrv.exe is enabled by default in Proxy Server 2.0. The Microsoft Firewall server is enabled by default in ISA Server firewall mode and ISA Server integrated mode installations. It is disabled in ISA Server cache mode installations. V. WORKAROUND To prevent the second attack scenario, apply ingress filtering on the Internet router on UDP port 1745 to prevent a malformed packet from reaching the ISA Server and causing a packet storm. VI. RECOVERY Restart either the WinSock Proxy Service or the affected system to resume normal operation. VII. VENDOR FIX/RESPONSE Microsoft has provided fixes for Proxy Server 2.0 and ISA Server at http://www.microsoft.com/technet/security/bulletin/MS03-012.asp . VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0110 to this issue. IX. DISCLOSURE TIMELINE 01/23/2003 Issue disclosed to iDEFENSE 02/24/2003 security@microsoft.com contacted 02/24/2003 Response from Iain Mulholland, MSRC 02/25/2003 iDEFENSE clients notified 03/03/2003 Status request from iDEFENSE 03/11/2003 Status request from iDEFENSE 03/11/2003 Response from Iain Mulholland, MSRC 03/13/2003 Status request from iDEFENSE 03/18/2003 Status request from iDEFENSE 03/18/2003 Response from Iain Mulholland, MSRC 03/24/2003 Status request from iDEFENSE 03/25/2003 Response from Iain Mulholland, MSRC 04/09/2003 Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpR3/frkky7kqW5PEQKypwCdGfcO0FcsIAohajEwZMfnZrmGYh4AoMc5 S+jzjh3evev/30oPRtg/1W75 =N1F/ -----END PGP SIGNATURE-----