TUCoPS :: Web :: IIS :: ciacl059.htm

Microsoft IIS WebDAV Denial of service Vulnerability
Microsoft IIS WebDAV Denial of service Vulnerability Privacy and Legal Notice


L-059: Microsoft IIS WebDAV Denial of service Vulnerability

Issued: March 13, 2001 01:00 GMT Revised: March 16, 2001 01:00 GMT

PROBLEM: Certain malformed WebDAV Request packets can temporarily cause IIS to Exhaust CPU Resources.
PLATFORM: Microsoft Internet Information Services 5.0
DAMAGE: Temporary denial of service. Does not permanently damage, nor require reboot or reset once attack is complete.
SOLUTION: Apply the provided patch.

LOW. An attack exploiting this vulnerability is temporary. Further, a successful attack will not grant administrative or other unauthorized privileges to the attacker. It is simply a denial of service.

[******  Start Microsoft Advisory ******]


- --------------------------------------------------------------------
Title:      Malformed WebDAV Request Can Cause IIS
            to Exhaust CPU Resources
Released:   08 March 2001
Revised:    13 March 2001 (version 2.0)
Software:   IIS 5.0
Impact:     Denial of Service
Bulletin:   MS01-0016

Microsoft encourages customers to review the Security Bulletin at:
- --------------------------------------------------------------------

Reason for Revision:
The original version of this bulletin provided a workaround
(discussed in Knowledge Base article Q241520) that would protect
affected systems by disabling WebDAV services. However, a security
patch is now available that eliminates the vulnerability, and
Microsoft recommends using the patch rather than the workaround. We
have updated both the bulletin and the narrative below to reflect

WebDAV is an extension to the HTTP protocol that allows remote
authoring and management of web content. In the Windows 2000
implementation of the protocol, IIS 5.0 performs initial processing
of all WebDAV requests, then forwards the appropriate commands to the
WebDAV process. However, a flaw exists in the way WebDAV handles a
particular type of malformed request. If a stream of such requests
were directed at an affected server, it would consume all CPU
availability on the server.

The patch should be applied to all machines running IIS 5.0. While
this obviously includes web servers, it's worth noting that IIS 5.0
may be running on other types of servers as well, particularly mail
servers running Exchange 2000.

Mitigating Factors:
 - The effect of an attack via this vulnerability would be
   temporary. The server would automatically resume normal
   service as soon as the malformed requests stopped arriving.

 - The vulnerability does not provide an attacker with any
   capability to carry out WebDAV requests.

 - The vulnerability does not provide any capability to
   compromise data on the server or gain administrative
   control over it.

Patch Availability:
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin
   for information on obtaining this patch.

- -------------------------------------------------------------------

[******  End Microsoft Advisory ******]

CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH