Security Bulletin

Microsoft Security Bulletin MS03-009 - Moderate

Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065)

Published: March 19, 2003

Version: 1.0

Originally posted: March 19, 2003

Summary

Who should read this bulletin: System administrators running Microsoft® Internet Security and Acceleration (ISA) Server 2000.

Impact of vulnerability: Denial of Service

Maximum Severity Rating: Moderate

Recommendation: System administrators should consider installing the patch.

End User Bulletin: An end user version of this bulletin is available at: https:.

Affected Software:

• Microsoft ISA Server

General Information

Technical details

Technical description:

Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. Application filters allow ISA Server to analyze a data stream for a particular application and provide application-specific processing including inspecting, screening or blocking, redirecting, or modifying the data as it passes through the firewall. This mechanism is used to protect against invalid URLs which may indicate attempted attacks as well as attacks against internal Domain Name Service (DNS) Servers.

A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests.

An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected.

Mitigating factors:

• By default, no DNS servers are published. DNS server publishing must be manually enabled.
• The vulnerability would not enable an attacker to gain any privileges on an affected ISA Server or the published DNS server or to compromise any cached content on the server. It is strictly a denial of service vulnerability.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0011

Tested Versions:

Microsoft tested Proxy Server 2.0 and ISA Server to assess whether these versions are affected by this vulnerability.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause an ISA Server to stop sending incoming Domain Name Service (DNS) requests to a published DNS server. Restarting the ISA Server service would allow DNS server publishing and DNS intrusion detection to function correctly again; however the server would remain vulnerable to another denial of service attack.

Could an attacker use the vulnerability to take control of an ISA Server computer?
No. This is a denial of service attack only. There is no capability to usurp any administrative privileges.

Could an attacker use the vulnerability to breach the security of the firewall?
No. There is no capability to use this vulnerability to lower the security the firewall provides. It can only be used to prevent the ISA Server from passing any further DNS requests to the published DNS server.

Could an attack that attempted to exploit this vulnerability be launched from the Internet?
Yes, the specially formed request could be sent from the Internet to a computer running ISA Server.

What is ISA Server?
ISA Server provides both an enterprise firewall and a high-performance web cache. The firewall protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The web cache helps improve network performance by storing local copies of frequently-requested web content.

What is Domain Name Service (DNS)?
Domain Name Service (DNS) is a service that resolves a domain name to an IP address. For instance, a client computer wishing to visit the website https://www.microsoft.com must first resolve the domain name "microsoft.com" to its Internet IP address. This is done by contacting a DNS server.

What is DNS server publishing?
DNS server publishing allows an administrator to configure ISA Server to send DNS name resolution requests from an external network to an organization's internal DNS server.

What is the DNS intrusion detection filter?
When configured for DNS server publishing, the DNS intrusion detection filter scans incoming DNS requests before they are passed on to an internal DNS server for processing. This filter scans incoming requests to protect against certain forms of remote attack.

What's wrong with ISA Server's DNS intrusion detection filter?
The DNS intrusion detection filter doesn't correctly handle a particular type of DNS request under a specific circumstance. If such a request were received, it could cause the DNS server publishing feature to stop responding. Normal intrusion detection of other requests and all other ISA Server operations would be unaffected.

How great a threat does this vulnerability pose?
It depends on whether DNS server publishing feature is enabled. By default, it's disabled. However, if it were enabled, any Internet user could potentially exploit this vulnerability to cause the DNS server publishing feature to stop responding. DNS requests received after the occurrence of a successful exploit would be stopped at the firewall and would not pass into the network.

What does the patch do?
The patch eliminates the flaw by ensuring the DNS intrusion detection filter properly processes DNS requests.

Patch availability

Download locations for this patch Microsoft ISA Server:

• English:

  https://www.microsoft.com/download/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang;=en

• French:

  https://www.microsoft.com/download/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang;=fr

• German:

  https://www.microsoft.com/download/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang;=de

• Spanish:

  https://www.microsoft.com/download/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang;=es

• Japanese:

  https://www.microsoft.com/download/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang;=ja

Additional information about this patch

Installation platforms: This patch can be installed on systems running ISA Server Service Pack 1 or ISA Server Feature Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in the next ISA Server service pack.

Reboot needed: No

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\256.

Alternatively you can perform the following steps to verify patch installation:

1. Click Start, Settings, Control Panel.
2. Double-click Add/Remove Programs.
3. Click Microsoft ISA Server 2000 Updates.
4. Click Change.
5. Open the drop down menu.

If ISA Hot Fix 256 appears, the patch has been successfully installed.

To verify the individual files, use the date/time and version information provided in Knowledge Base article 331065.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Mike Fratto of Network Computing Magazine for reporting this issue to us and working with us to protect customers.

Support:

• Knowledge Base Article 331065 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (March 19, 2003): Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00 </https:>