COMMAND
ISA Server
SYSTEMS AFFECTED
ISA Server
PROBLEM
Following is based on a Microsoft Security Bulletin MS01-045.
This bulletin discusses three security vulnerabilities that are
unrelated except in the sense that both affect ISA Server 2000:
- A denial of service vulnerability involving the H.323 Gatekeeper
Service, a service that supports the transmission of
voice-over-IP traffic through the firewall. The service
contains a memory leak that is triggered by a particular type
of malformed H.323 data. Each time such data is received, the
memory available on the server is depleted by a small amount; if
an attacker repeatedly sent such data, the performance of the
server could deteriorate to the point where it would effectively
disrupt all communications across the firewall. A server
administrator could restore normal service by cycling the H.323
service.
The vulnerability could only be exploited if the H.323
Gatekeeper Service was installed. It is only installed by
default if "Full Installation" is chosen; if "Typical
Installation" is selected, it is not installed. The
vulnerability would not enable an attacker to gain any
privileges on an affected server or add any traffic to an
existing voice-over-IP session. It is strictly a denial of
service vulnerability.
- A denial of service vulnerability in the in the Proxy service.
Like the vulnerability above, this one is caused by a memory
leak, and could be used to degrade the performance of the server
to the point where is disrupted communcations.
The vulnerability could only be exploited by an internal user;
it could not be exploited by an Internet user. The
vulnerability would not enable an attacker to gain any
privileges on an affected server or compromise any cached
content on the server. It is strictly a denial of service
vulnerability.
- A cross-site scripting vulnerability affecting the error page
that ISA Server 2000 generates in response to a failed request
for a web page. An attacker could exploit the vulnerability by
tricking a user into submitting to ISA Server 2000 an URL that
has the following characteristics: (a) it references a valid
web site; (b)it requests a page within that site that can't be
retrieved - that is, a non-existent page or one that generates
an error; and (c) it contains script within the URL. The error
page generated by ISA Server 2000 would contain the embedded
script commands, which would execute when the page was displayed
in the user's browser. The script would run in the security
domain of the web site referenced in the URL, and would be able
to access any cookies that site has written to the user's
machine.
In order to run script in the security domain of a trusted site,
the attacker would need to know which sites, if any, a user
trusted. Most users use the default security settings for all
web sites, which would effectively deny an attacker any gain in
exploiting the vulnerability for the purposes of running
script. An attacker who wished to read other sites' cookies on
a user's machine would have no way to know which sites had
placed cookies there. The attacker would need to exploit the
vulnerability once for every web site whose cookies she wished
to access. Even if the attacker correctly guessed which sites
had placed cookies on a user's machine, there should be no
sensitive information in the cookies, if best practices have
been followed.
Acknowledgment goes to Peter Grundl for reporting the memory
leaks in the H.323 Gatekeeper Service and the Proxy Service and
Dr. Hiromitsu Takagi for reporting the cross-site scripting
vulnerability.
SOLUTION
A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-045.asp
for information on obtaining this patch.