-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  Microsoft IIS "Cookie Marking" Vulnerability

October 24, 2000 17:00 GMT                                       Number L-010
_____________________________________________________________________________
PROBLEM:       Microsoft IIS 4 and 5 web servers do not implement secure 
               cookies for secure session management. 
PLATFORM:      Microsoft IIS 4 or 5 web servers utilizing active server pages 
               and that have both secure (https) and non-secure (http) web 
               pages. 
DAMAGE:        An intruder with full control of the communications channel 
               between a web browser and a web server serving secure web
               pages can hijack the user's session. 
SOLUTION:      Users with affected systems should install the patch and then 
               implement secure cookies in their active server page 
               application. 
_____________________________________________________________________________
VULNERABILITY  Risk is LOW. The intruder must have complete control of the 
ASSESSMENT:    communications channel between the web browser and the web 
               server. 
_____________________________________________________________________________

[****** Start of Microsoft Security Bulletin ******]

Microsoft Security Bulletin (MS00-080)
- ---------------------------------------

Patch Available for "Session ID Cookie Marking" Vulnerability

Originally posted: October 23, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. The
vulnerability could allow a malicious user to "hijack" another user's
secure web session, under a very restricted set of  circumstances.

Frequently asked questions regarding this vulnerability
and the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp

Issue
=====
IIS supports the use of a Session ID cookie to track the current
session identifier for a web session. However, .ASP in IIS  does not
support the creation of secure Session ID cookies as defined in RFC
2109. As a result, secure and non-secure pages  on the same web site
use the same Session ID. If a user initiated a session with a secure
web page, a Session ID cookie would  be generated and sent to the
user, protected by SSL. But if the user subsequently visited a
non-secure page on the same site,  the same Session ID cookie would
be exchanged, this time in plaintext. If a malicious user had
complete control over the  communications channel, he could read the
plaintext Session ID cookie and use it to connect to the user's
session with the  secure page. At that point, he could take any
action on the secure page that the user could take.

The conditions under which this vulnerability could be exploited are
rather daunting. The malicious user would need to have  complete
control over the other user's communications with the web site. Even
then, the malicious user could not make the  initial connection to
the secure page - only the legitimate user could do that. The patch
eliminates the vulnerability by  adding support for secure Session ID
cookies in .ASP pages. (Secure cookies already are supported for all
other types of  cookies, under all other technologies in IIS).

Affected Software Versions
==========================
 - Microsoft Internet Information Server 4.0
 - Microsoft Internet Information Services 5.0

Patch Availability
==================
 - IIS 4.0:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25233
 - IIS 5.0:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25232

Note: The patch installs support for secure Session ID cookies, but
does not enable it for reasons of application  compatibility. As
discussed in the Knowledge Base article, it can be enabled or
disabled on a site-by-site basis.

Note:
 - The IIS 4.0 version of this patch can be installed on Windows
   NT(r) 4.0 systems running Service Pack 6a, and will be included in
   Service Pack 7.
 - The IIS 5.0 version of this patch can be installed on
   Windows(r) 2000 systems with or without Service Pack 1, and will
   be included in Service Pack 2.

Note: Additional security patches are available at the Microsoft
Download Center

More Information
================
Please see the following references for more information related to
this issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-080,
   http://www.microsoft.com/technet/security/bulletin/fq00-080.asp
 - Microsoft Knowledge Base article Q274149 discusses this issue
   and will be available soon.
 - RFC 2109, HTTP State Management,
   http://www.ietf.org/rfc/rfc2109.txt.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks ACROS Security (http://www.acros.si/) and Ron Sires
and C. Conrad Cady of Healinx (http://www.healinx.com/)  for
reporting this issue to us and working with us to protect customers.

Revisions
=========
 - October 23, 2000: Bulletin Created.

[****** End of Microsoft Security Bulletin ******]

_____________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_____________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

K-073:  Multiple Vulnerabilities in Check Point Firewall-1
L-001:  Linux/BSD initialized data overflow in Xlock 
L-002:  Cisco Secure PIX Firewall Mailguard Vulnerability
L-003:  FreeBSD TCP Sequence Number Vulnerability 
L-004:  FreeBSD LPRng Vulnerability 
L-005:  Linux 'tmpwatch' Vulnerability
L-006:  HP-UX lpspooler and ftpd Vulnerabilities
L-007:  Microsoft IIS Folder Traversal
L-008:  Microsoft HyperTerminal Buffer Overflow
L-009:  Red Hat Linux "ypbind" Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOfXO5rnzJzdsy3QZAQHbEgP/cRSi5hWuQ7WabXYSthAUlwA462IP906w
X5FOPcivudV1zIg4knVX2Y97TqVUQEujBEwZAnmD0DGeKI0+Ej0nh9UhdvZpavaC
QVfTBunLD0rMdZsLHGdGrG9raCrTasV4Na4O/COqR52ztKEN0bxSljITUCF7s9Al
RTvjWuhv1eM=
=1Vgd
-----END PGP SIGNATURE-----