ALERT-TSA03-005

TSA 03-005 - IIS Server Protection

Current Assessment: RED HOT

Initial Assessment: HOT

Current Assessment Date: March 17, 2003

Time: 1630 UTC

Initial Assessment Date: March 14, 2003

Threat: High, exploit code exists and reports have been received indicating that systems have been compromised. We expect an acceleration of attacks and the eventual creation of a worm based on this vulnerability.

Vulnerability Prevalence: High, WebDAV is a default option for IIS 5.0 on Win2K systems, and thus should be disabled if not required (or other mitigations applied as below if required).

Cost: High, the known exploit allows remote execution under the permissions of the LOCAL_SYSTEM.

Summary: Credible sources indicate that an exploit exists to compromise IIS 5.0 servers on Windows 2000 including all service packs. This exploits an unchecked buffer in the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.  As described in our TSRadar post last week, Microsoft's URLScan (or a registry key change) will limit the length of HTTP requests to the IIS server, disabling the currently known exploit.

URLScan is available from Microsoft's Web site:

http://www.microsoft.com/technet/security/tools/urlscan.mspx

We recommend the following base settings:

MaxUrl: 1024

MaxQueryString: 1024

Obviously, if either URLs or queries for your site need to be larger, you can adjust the values, though we recommend trying to limit this to under 2k (2048 bytes) wherever possible.

MITIGATIONS: (any of those below will mitigate the current attack)

1. To completely disable WebDAV including the PUT and DELETE requests, make the following changes in the registry.

a. Start Registry Editor (Regedt32.exe).

b. Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

c. On the Edit menu, click Add Value, and then add the following

registry value:

Value name: DisableWebDAV

Data type: DWORD

Value data: 1

2. Use URLScan to set a limit on the size of allowable HTTP requests (see above).

3. Alternately, you may wish to explore using the MaxClientRequestBuffer registry key to limit the size of a request.

This key is documented at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;260694

Please note that this controls the buffer size of *all* data into an IIS server, and so may affect things like Outlook Web Access (OWA,) and file uploads. By default IIS 5 sets it at 128Kb. While it's likely that most production servers should have this value set lower, we expect that it will only be useful as a protection mechanism is the size of the buffer is less than 2k (Limits as large of 4K are expected to work for this particular exploit, but other versions may operate at smaller limits.)

4. Microsoft has released a security bulletin that includes the patch for this vulnerability, available at:

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The newly updated TruSecure Essential Configuration currently available from your TruSecure Analyst, or from the TruSecure Customer portal includes instructions on disabling WebDAV as well as other controls that TruSecure believes are essential for the security of IIS web servers.

DISCLAIMER:

Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.  Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.