What's the scope of this vulnerability?
This is a denial of service vulnerability. If an attacker exploited this vulnerability against an affected server, she could temporarily prevent it from providing web services. The effect of an attack via this vulnerability would only last as long as a continuous stream of requests was directed at an affected server, after which point normal service would automatically resume. The vulnerability does not provide any means to add, delete or change data on the server, or usurp administrative control over it.
What causes the vulnerability?
The vulnerability results because WebDAV does not correctly process a request that has been malformed in a particular way. By sending a continuous stream of such requests, even at a relatively low rate, all of the server's CPU availability could be consumed.
What is WebDAV?
To explain what WebDAV is, we first need to discuss HTTP. HTTP, or Hypertext Transfer Protocol, is the industry standard protocol by which web content is communicated. It enables clients to request web content, and enables web servers to either supply the content or tell the client why it was unable to supply it.
WebDAV is an extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning", and it adds a capability for authorized users to remotely add and manage content on a web server. WebDAV is fully supported in Windows 2000 and ships as part of the product.
What's wrong with WebDAV?
WebDAV does not properly handle a particular type of specially malformed request. If a continuous stream of such requests were sent to an affected server, it could degrade the server's performance to the point where it would be unable to perform useful work.
What would this enable an attacker to do?
An attacker could use this vulnerability to temporarily disrupt service on an affected server. During such an attack, the server would be unable to service existing HTTP sessions or accept new ones.
How long would the effect of an attack last?
The effect of the attack would only last as long as the attacker continued directing malformed WebDAV requests at the server. Once the requests stopped arriving, the server would resume normal operation. It would not be necessary for the operator to take any action.
Isn't this a flooding attack?
No. The scenario here is similar to a flooding attack, in the sense that it involves the attacker sending a continuous stream of requests. However, in a flooding attack, it's usually necessary for the attacker to expend about the same quantity of resources as those she wants to deny on the server. For instance, flooding attacks frequently require the attacker to dedicate a machine for each server she wishes to attack. In this case, however, the attacker would have to expend relatively few resources in order to attack an affected machine.
Who could exploit the vulnerability?
The only prerequisite for exploiting the vulnerability is the ability to deliver the malformed WebDAV requests to an affected server. It would not be necessary for the attacker to authenticate to the machine.
Would this vulnerability enable an attacker take any action on an affected system?
No. This is strictly a denial of service vulnerability. There is no capability to use this vulnerability to compromise data on the system or to take any kind of administrative action on it.
Is WebDAV installed and running by default?
Yes. WebDAV is installed by default on IIS5 web servers.
Does this vulnerability affect IIS 4.0?
No. WebDAV did not ship as part of IIS4.0.
Are any other servers affected by this vulnerability?
Exchange 2000 Server utilizes IIS 5.0 to provide Outlook Web Access(OWA) services. Exchange 2000 Servers providing OWA services should consider installing this patch to protect their IIS 5.0 services from this vulnerability.bb
When this bulletin was originally released, it provided a workaround rather than a patch. If I applied the workaround, do I need the patch?
The workaround (discussed in Microsoft Knowledge Base article Q241520) is an effective way to defend against this vulnerability, and customers can use it if desired. In particular, customers who are using a language version for which a patch isn't yet available may wish to continue using the workaround.
In general, however, it's better to use the patch than the workaround. The patch corrects the flaw in WebDAV, where the workaround disables it completely. While disabling WebDAV wouldn't prevent an IIS or Exchange server from offering web services, it would prevent WebDAV requests from being processed, and this could cause the loss of features like the following:
- Web Folders
- Publishing to the website using Office 2000 (but not via FrontPage Server Extensions)
- Monitoring an IIS 5.0 server via Digital Dashboard
I've already implemented the workaround, but I'd like to apply the patch. How can I return my system to the state it was in before I applied the workaround?
If you've applied the workaround and would now like to apply the patch and re-enable WebDav, refer to "Steps to Re-enable WebDAV" in KB article Q241520.
