|
|
| PROBLEM: | Certain malformed WebDAV Request packets can temporarily cause IIS to Exhaust CPU Resources. |
| PLATFORM: | Microsoft Internet Information Services 5.0 |
| DAMAGE: | Temporary denial of service. Does not permanently damage, nor require reboot or reset once attack is complete. |
| SOLUTION: | Apply the provided patch. |
| VULNERABILITY ASSESSMENT: | LOW. An attack exploiting this vulnerability is temporary. Further, a successful attack will not grant administrative or other unauthorized privileges to the attacker. It is simply a denial of service. |
[****** Start Microsoft Advisory ******]
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------
Title: Malformed WebDAV Request Can Cause IIS
to Exhaust CPU Resources
Released: 08 March 2001
Revised: 13 March 2001 (version 2.0)
Software: IIS 5.0
Impact: Denial of Service
Bulletin: MS01-0016
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
- --------------------------------------------------------------------
Reason for Revision:
====================
The original version of this bulletin provided a workaround
(discussed in Knowledge Base article Q241520) that would protect
affected systems by disabling WebDAV services. However, a security
patch is now available that eliminates the vulnerability, and
Microsoft recommends using the patch rather than the workaround. We
have updated both the bulletin and the narrative below to reflect
this.
Issue:
======
WebDAV is an extension to the HTTP protocol that allows remote
authoring and management of web content. In the Windows 2000
implementation of the protocol, IIS 5.0 performs initial processing
of all WebDAV requests, then forwards the appropriate commands to the
WebDAV process. However, a flaw exists in the way WebDAV handles a
particular type of malformed request. If a stream of such requests
were directed at an affected server, it would consume all CPU
availability on the server.
The patch should be applied to all machines running IIS 5.0. While
this obviously includes web servers, it's worth noting that IIS 5.0
may be running on other types of servers as well, particularly mail
servers running Exchange 2000.
Mitigating Factors:
====================
- The effect of an attack via this vulnerability would be
temporary. The server would automatically resume normal
service as soon as the malformed requests stopped arriving.
- The vulnerability does not provide an attacker with any
capability to carry out WebDAV requests.
- The vulnerability does not provide any capability to
compromise data on the server or gain administrative
control over it.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-016.asp
for information on obtaining this patch.
- -------------------------------------------------------------------
[****** End Microsoft Advisory ******]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)