__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft IIS WebDAV Denial of service Vulnerability Issued: March 13, 2001 01:00 GMT Number L-059 Revised: March 16, 2001 01:00 GMT ______________________________________________________________________________ PROBLEM: Certain malformed WebDAV Request packets can temporarily cause IIS to Exhaust CPU Resources. PLATFORM: Microsoft Internet Information Services 5.0 DAMAGE: Temporary denial of service. Does not permanently damage, nor require reboot or reset once attack is complete. SOLUTION: Apply the provided patch. ______________________________________________________________________________ VULNERABILITY LOW. An attack exploiting this vulnerability is temporary. ASSESSMENT: Further, a successful attack will not grant administrative or other unauthorized privileges to the attacker. It is simply a denial of service. ______________________________________________________________________________ [****** Start Microsoft Advisory ******] -----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------------------------- Title: Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources Released: 08 March 2001 Revised: 13 March 2001 (version 2.0) Software: IIS 5.0 Impact: Denial of Service Bulletin: MS01-0016 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-016.asp - -------------------------------------------------------------------- Reason for Revision: ==================== The original version of this bulletin provided a workaround (discussed in Knowledge Base article Q241520) that would protect affected systems by disabling WebDAV services. However, a security patch is now available that eliminates the vulnerability, and Microsoft recommends using the patch rather than the workaround. We have updated both the bulletin and the narrative below to reflect this. Issue: ====== WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server. The patch should be applied to all machines running IIS 5.0. While this obviously includes web servers, it's worth noting that IIS 5.0 may be running on other types of servers as well, particularly mail servers running Exchange 2000. Mitigating Factors: ==================== - The effect of an attack via this vulnerability would be temporary. The server would automatically resume normal service as soon as the malformed requests stopped arriving. - The vulnerability does not provide an attacker with any capability to carry out WebDAV requests. - The vulnerability does not provide any capability to compromise data on the server or gain administrative control over it. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-016.asp for information on obtaining this patch. - ------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOq7jso0ZSRQxA/UrAQF1QwgAlgv97QgEKhq/VR39SSQTzq4nEgvj0XFy jWrxuIwFlOKiIVFV61Tjjip7HSex1OgZF4UD1EafPeNcNmE+A157Ufk3/QeQXzxO dY0AF/cvSlGvBOk52Pw/RgYPbpez8/dAzgabz7vyDDm6zL1gqX7SKqNnzPEnldzy 8gB17X5KMduRdDSqTW7Rf09lFd9covzSZNGIDLnfzjBQiuA9UilgxxaDarfBrf67 lZ1oTjmdH1MRC39ki/p8ye0T5LSMT3AIRVCLFaJmqtOLoBV5bCIMpc1DtJhJJNqq t3uCTi0fCcWLxLvGucix+/a0INxJtF2CZCxPoPkn6yHB92rwYBgQ4w== =YUwQ -----END PGP SIGNATURE----- [****** End Microsoft Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-049: Microsoft "Malformed Request to Domain Controller" L-050: Microsoft Outlook VCard Unchecked Buffer Vulnerability L-051: Microsoft "Windows 2000 Event Viewer" Vulnerability L-052: Cisco IOS Software SNMP Read-Write ILMI Community String L-053: Cisco IOS Software TCP Initial Sequence Number Improvements L-054: Microsoft IIS and Exchange Malformed URL Denial of Service L-055: pcAnywhere Denial of Service, abnormal server connection L-056: The Naked Wife (W32.Naked@mm) Trojan L-057: Kerberos /tmp Root Vulnerability L-058: HPUX Sec. Vulnerability asecure