COMMAND

    Internet & Acceleration Server

SYSTEMS AFFECTED

    Internet & Acceleration Server for Windows 2000 Server

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-16 by  Peter
    Grundl and Andreas Sandor.  If an alert action has been chosen  in
    the ISA server  console, a malicious  attacker can cause  a Denial
    of Service situation on the ISA server.

    By default the log settings on the Windows 2000 server are not set
    to overwrite the log files  as needed, and since the  installation
    of the  ISA server  does not  change these  settings, this is also
    the  case  with  the  ISA  server.   If  you enable the "Event Log
    Failure" option in  the ISA console,  an attacker can  send in any
    kind of spoofed packets that will trigger event logs and cause the
    ISA server to start spawning a CMD.EXE for each event log failure.
    This will result in the  server running very slowly and  consuming
    all available memory.

    This will go on  even after the ISA  server is rebooted until  the
    event log is cleaned.

    Authors used ISIC to create a flood of spoofed, random packets:

        http://www.packetfactory.net/Projects/ISIC/

    Whether you chalk this one up as a security vulnerability or  not,
    it is still a potential problem that should be given attention  if
    you set up an "Internet Security and Acceleration" Server.

SOLUTION

    Make sure your  log file is  either overwritten as  needed or that
    you  have  the  "event  log  failure"  option  disabled in the ISA
    firewall.  The issue is now described in Q284800 by MSRC:

        http://support.microsoft.com/support/kb/articles/q284/8/00.ASP