SecurityvulnsSECURITYVULNS:DOC:21659Microsoft Security Bulletin MS09-016 - Important Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
Microsoft Security Bulletin MS09-016 - Important
Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
Published: April 14, 2009
Version: 1.0
General Information
Executive Summary
This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.
This security update is rated Important for Forefront TMG MBE, ISA Server 2004, and ISA Server 2006. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. None.
Top of sectionTop of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Forefront Threat Management Gateway, Medium Business Edition*
(KB968075)
Denial of Service
Important
None
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3**
(KB960995)
Denial of Service
Important
None
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
(KB960995)
Denial of Service
Important
None
Microsoft Internet Security and Acceleration Server 2006
(KB968078)
Denial of Service
Important
None
Microsoft Internet Security and Acceleration Server 2006 Supportability Update
(KB968078)
Denial of Service
Important
None
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
(KB968078)
Denial of Service
Important
None
*Microsoft Forefront TMG MBE is delivered both as a standalone product and as a component of Windows Essential Business Server 2008.
**Microsoft ISA Server 2004 Standard Edition is delivered as a standalone product. Microsoft ISA Server 2004 Standard Edition is also delivered as a component of Windows Small Business Server 2003 Premium Edition Service Pack 1 and Windows Small Business Server 2003 R2 Premium Edition.
Non-Affected Software
Software
Microsoft Internet Security and Acceleration Server 2000 Service Pack 2
Top of sectionTop of section
Frequently Asked Questions (FAQ) Related to This Security Update
Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 961759.
Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are related to the same functionality. Instead of having to install several updates that are almost the same, customers need to install this update only.
If I reconfigure an existing TMG management-only installation to a full firewall or proxy installation, do I need to reapply the update?
Yes. If you have applied this update and then reconfigured a TMG management-only installation to a full firewall or proxy installation, you must reapply the KB968075 update.
If I upgrade an existing ISA Server 2006 installation to the ISA Server 2006 Supportability Update or to ISA Server 2006 Service Pack 1, do I need to reapply the update?
Yes. If you have applied this update and then upgraded from ISA Server 2006 to the ISA Server 2006 Supportability Update or ISA Server 2006 Service Pack 1, or upgraded from ISA Server 2006 Supportability Update to ISA Server 2006 Service Pack 1, you must apply the KB968078 package that corresponds to the newly installed ISA Server 2006 Supportability Update or ISA Server 2006 Service Pack 1.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.
Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077 Cross-Site Scripting Vulnerability - CVE-2009-0237 Aggregate Severity Rating
Microsoft Forefront Threat Management Gateway, Medium Business Edition
Important
Denial of Service
Moderate
Spoofing and Information Disclosure
Important
Microsoft Internet Security and Acceleration Server 2004 Service Pack 3
Important
Denial of Service
Not applicable
Important
Microsoft Internet Security and Acceleration Server 2006
Important
Denial of Service
Moderate
Spoofing and Information Disclosure
Important
Internet Security and Acceleration Server 2006 Supportability Update
Important
Denial of Service
Moderate
Spoofing and Information Disclosure
Important
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Important
Denial of Service
Moderate
Spoofing and Information Disclosure
Important
Top of sectionTop of section
Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077
A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0077.
Mitigating Factors for Web Proxy TCP State Limited Denial of Service Vulnerability - CVE- 2009-0077
Microsoft has not identified any mitigating factors for this vulnerability.
Top of sectionTop of section
Workarounds for Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077
Microsoft has not identified any workarounds for this vulnerability.
Top of sectionTop of section
FAQ for Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077
What is the scope of the vulnerability?
This is a denial of service vulnerability. A remote, anonymous attacker who successfully exploited this vulnerability could cause the affected Web listener to become non-responsive.
What causes the vulnerability?
This vulnerability results because firewall engine state management does not handle the session state correctly for Web listeners. This limitation could lead to orphaned open sessions that can cause a denial of service.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the affected system's Web listener to become non-responsive.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by sending specially crafted network packets to the affected system.
What systems are primarily at risk from the vulnerability?
Forefront TMG MBE, ISA Server 2004, and ISA Server 2006 systems are primarily at risk from this vulnerability.
What does the update do?
The update addresses this vulnerability by modifying the way that the firewall engine handles the TCP state for Web listeners.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-0077.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section
Cross-Site Scripting Vulnerability - CVE-2009-0237
A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0237.
Mitigating Factors for Cross-Site Scripting Vulnerability - CVE-2009-0237
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•
ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).
•
ISA Server 2006 or Forefront TMG MBE deployments that are used for Web publishing but are not using HTML forms authentication are not vulnerable.
•
Even if Web publishing is enabled, the vulnerable code is exposed only if HTML forms authentication is enabled on the default Web listener.
Note Forefront TMG MBE as installed with Windows Essential Business Server is configured for forms-based authentication on the External Web Listener by default.
Top of sectionTop of section
Workarounds for Cross-Site Scripting Vulnerability - CVE-2009-0237
Microsoft has not identified any workarounds for this vulnerability.
Top of sectionTop of section
FAQ for Cross-Site Scripting Vulnerability - CVE-2009-0237
What is the scope of the vulnerability?
This is a non-persistent cross-site scripting (XSS) vulnerability. An attacker who successfully exploited this vulnerability could cause script code to run on the machine of another user in the guise of a third-party Web site. Such script code would run inside the browser when visiting the third-party Web site, and could take any action on the user's computer that the third-party Web site was permitted to take. The vulnerability could only be exploited if the user clicked on a hypertext link, either in an HTML e-mail or if the user visited an attacker's Web site or a Web site containing content that is under the attacker’s control.
What causes the vulnerability?
This vulnerability results from improper input validation of the HTTP stream. This error provides the ability to execute a cross-site scripting attack through the cookieauth.dll component in ISA Server or Microsoft Forefront TMG MBE.
What is cross-site scripting?
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to "inject" script code into a user's session with a Web site. The vulnerability can affect Web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow malicious script to be executed. Web browsers may perpetuate this problem through their assumptions of "trusted" sites and their use of cookies to maintain persistent state with the Web sites that they frequent. An XSS attack does not modify Web site content. Instead, it inserts new, malicious script that can execute at the browser in the context that is associated with a trusted server.
How does cross-site scripting work?
Web pages contain text and HTML markup. Text and HTML markup are generated by the server and are interpreted by the client. If untrusted content is introduced into a dynamic page, neither the server nor the client has sufficient information to recognize that this injection has occurred and to take protective measures.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by having a user visit the affected Web site using a specially crafted URL. This can be done by way of any medium that can contain URL Web links controlled by the attacker, such as a link in an e-mail, on a Web site, or a redirect on a Web site. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the affected Web site using a specially crafted URL, or to the attacker's Web site.
What systems are primarily at risk from the vulnerability?
ISA Server 2006 and Forefront TMG MBE systems that make use of HTML forms authentication are primarily at risk from this vulnerability.
What does the update do?
The update addresses this vulnerability by modifying the way that cookieauth.dll validates HTTP forms authentication input.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
•
New York State Chief Information Officer / Office for Technology for reporting the Cross-Site Scripting Vulnerability (CVE-2009-0237)
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
•
Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
•
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
•
V1.0 (April 14, 2009): Bulletin published.
Related
