Security Bulletin

Microsoft Security Bulletin MS03-012 - Important

Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Service (331066)

Published: April 09, 2003

Version: 1.0

Originally posted: April 9, 2003

Summary

Who should read this bulletin:  System administrators running Microsoft® Proxy Server 2.0 or Microsoft Internet Security and Acceleration (ISA) Server 2000.

Impact of vulnerability:  Denial of Service.

Maximum Severity Rating:  Important

Recommendation:  System administrators should install the patch at the earliest available opportunity.

Affected Software:

• Microsoft Proxy Server 2.0
• Microsoft ISA Server

General Information

Technical details

Technical description:

There is a flaw in the Winsock Proxy service in Microsoft Proxy Server 2.0, and the Microsoft Firewall service in ISA Server 2000, that would allow an attacker on the internal network to send a specially crafted packet that would cause the server to stop responding to internal and external requests. Receipt of such a packet would cause CPU utilization on the server to reach 100%, and thus make the server unresponsive. The Winsock Proxy service and Microsoft Firewall service work with FTP, telnet, mail, news, Internet Relay Chat (IRC), or other client applications that are compatible with Windows Sockets (Winsock). These services allow these applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to a Proxy Server 2.0 or ISA Server computer, thus establishing a communication path from the internal application to the Internet through it.

Mitigating factors:

• The vulnerability would not enable an attacker to gain any privileges on an affected Proxy Server 2.0 or ISA Server computer or compromise any cached content. It is strictly a denial of service.
• ISA Server computers running in cache mode are not affected because the Microsoft Firewall service is disabled by default.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0110

Tested Versions:

Microsoft tested Proxy Server 2.0 and ISA Server to assess whether these versions are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause a Proxy Server 2.0 or ISA Server computer to stop responding to requests. Restarting the Winsock Proxy service in Proxy Server 2.0 or the Microsoft Firewall service in ISA Server will allow the computer to function correctly again, however it would remain vulnerable to another denial of service attack.

How could an attacker exploit this vulnerability?
An attacker could create a specially formed request and send it to the computer running Proxy Server 2.0 or ISA Server.

Could an attack that attempted to exploit this vulnerability be launched from the Internet?
An attack from the Internet would only be possible in a very specific configuration. A potential problem would only exist when a packet filter was configured to allow incoming traffic to the external interface of the Proxy Server 2.0 or ISA Server computer on port 1745. This is not a default setting and the server would need to be specifically configured in this manner, so the likelihood of an Internet attack is low.

What could this allow an attacker to do?
The vulnerability if exploited could allow an attacker to cause the ISA Server to stop responding to all requests.

Could an attacker use the vulnerability to take control of a Proxy Server 2.0 or ISA Server computer?
No. This is a denial of service attack only. There is no capability to usurp any administrative privileges on the ISA Server.

Could an attacker use the vulnerability to breach the security of the firewall?
No. There is no capability to use this vulnerability to lower the security the firewall provides.

What is Proxy Server 2.0?
Proxy Server 2.0 acts as a gateway to the Internet for client computers. A proxy server in general acts as an intermediary between a private network and the Internet. Proxy Server 2.0 also caches Internet content for internal users to increase performance, and reduce outgoing network bandwidth.

What is ISA Server?
ISA Server provides both an enterprise firewall and a high-performance web cache. The firewall protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The web cache helps improve network performance by storing local copies of frequently-requested web content. ISA Server can be installed in three modes: firewall mode, cache mode, or integrated mode. Firewall mode allows an administrator to secure network communication by configuring rules that control communication between the corporate network and the Internet. Cache mode improves network performance by storing frequently accessed web pages on the server itself. In integrated mode, all cache and firewall features are available.

What is Winsock?
Winsock is short for Windows Socket, and is an Application Programming Interface (API) that allows Windows Programs to communicate with other computers using the TCP/IP network protocol.

What are the Winsock Proxy service and the Microsoft Firewall service?
Proxy Server 2.0's Winsock Proxy service and ISA Server's Microsoft Firewall service both allow Internet applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to a Proxy Server 2.0 or ISA Server computer, thus establishing a communication path from the internal application to the Internet through the server computer. The services eliminate the need for a specific gateway for each protocol, such as Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Telnet, or File Transfer Protocol (FTP).

Is the Winsock Proxy Service or Microsoft Firewall service enabled by default?
The Winsock Proxy service is enabled by default in Proxy Server 2.0. The Microsoft Firewall server is enabled by default in ISA Server firewall mode and ISA Server integrated mode installations. It is disabled in ISA Server cache mode installations.

How do I know if either service is running on my server?
To detect if the affected service is running on your server, please follow the steps for the software version you have installed:

• Proxy Server 2.0:
  • Click Start, Programs, Microsoft Proxy Server, Microsoft Management Console.
  • Inside the MMC window, expand Console Root, Internet Information Server, .
  • If Winsock Proxy appears, the Winsock Proxy service is running. If Winsock Proxy (Stopped) appears, then the Winsock Proxy service is stopped.
• ISA Server:
  • Click Start, Settings, Control Panel.
  • Double-click Administrative Tools.
  • Double-click Services. If Microsoft Firewall is listed and its status is Started, the Microsoft Firewall service is running.

What is wrong with Proxy Server 2.0's Winsock Proxy service and ISA Server's Microsoft Firewall service?
The services incorrectly handle a response from remote clients. Sending a specifically formed request can cause the server to stop responding to future requests.

How great a threat does this vulnerability pose?
In Proxy Server 2.0 the Winsock Proxy service is enabled by default. In ISA Server firewall mode and ISA Server integrated mode installations, the Microsoft Firewall service is enabled by default. This means that any internal user could potentially exploit this vulnerability to cause the Proxy Server 2.0 or ISA Server computer to stop responding to requests. The Microsoft Firewall service is disabled by default on ISA Server computers running in cache mode.

What does the Patch do?
The fix eliminates the potential for a denial of service attack by ensuring that the Winsock Proxy service or the Microsoft Firewall Service correctly responds to requests.

Patch availability

Download locations for this patch

• Proxy Server 2.0:
  • https://www.microsoft.com/download/details.aspx?FamilyId=C81688B7-20FB-45EB-BAFD-031A0D2923E6&displaylang;=en
• ISA Server:

  • English:

    https://www.microsoft.com/download/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang;=en

  • French:

    https://www.microsoft.com/download/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang;=fr

  • German:

    https://www.microsoft.com/download/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang;=de

  • Spanish:

    https://www.microsoft.com/download/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang;=es

  • Japanese:

    https://www.microsoft.com/download/details.aspx?FamilyId=3C43FAD2-A888-4603-84B7-1053C8663436&displaylang;=ja

Additional information about this patch

Installation platforms:

Microsoft Proxy Server 2.0:

This patch can be installed on systems running Proxy Server 2.0 Service Pack 1.

Inclusion in future service packs: No.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None

Microsoft ISA Server:

This patch can be installed on systems running ISA Server Service Pack 1 or ISA Server Feature Pack 1.

Inclusion in future service packs: The fix for this issue will be included in the next ISA Server service pack.

Reboot needed: No

Patch can be uninstalled: Yes

Superseded patches: None

Verifying patch installation:

• Proxy Server 2.0:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\HotFix\Q331066

  • To verify the individual files, use the date/time and version information provided in Knowledge Base article 331066.

• ISA Server:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\257

  • Alternatively you can perform the following steps to verify patch installation:

    1. Click Start, Settings, Control Panel.
    2. Double-click Add/Remove Programs.
    3. Click Microsoft ISA Server 2000 Updates.
    4. Click Change.
    5. Open the drop down menu. If ISA Hot Fix 257 appears, the patch has been successfully installed.

  • To verify the individual files, use the date/time and version information provided in Knowledge Base article 331066.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Support:

• Microsoft Knowledge Base article 331066 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 April 9, 2003: Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00