This week, Microsoft released a security fix MS15-034 (KB3042553) for IIS which potentially allows for remote code execution on IIS, denial of service attacks (DOS) or bugchecking of servers. Since Exchange leverages IIS, Exchange servers are affected.
The vulnerability is easy to exploit, using an HTTP or HTTPS request and specifying a Range header with a value of 18446744073709551615 (maximum 64-bit unsigned integer). The Range header, introduced in the HTTP/1.1 specification, can be used by the requester to receive only a portion of data, for example the first few bytes of a JPG to determine its dimensions.The issue occurs when you specify out of bounds value. for example, when using cURL you can specify:
curl -v http://ift.tt/1HoaKhI -H "Host: contoso.com" -H "Range: bytes = 0-8192" -k
- The most recommended solution is of course to install the KB3042553 security fix on servers running IIS, starting with servers that are internet-facing.
- Filter requests on your reverse proxy, load balancer or IPS solution. KEMP has provided instructions how to accomplish this on their Loadmasters here, the ISC SANS institute provided instructions for SNORT here.
- Disable IIS kernel caching, but this is not recommended due to impact on performance.
There is however another alternative, by utilizing IIS’ Request Filtering. Provided you have installed this IIS feature using Server Manager > Roles and Features or by running Add-WindowsFeature Web-Filtering, you can use the IIS Manager to configure the Request Filter via IIS Manager > Request Filtering > Headers, defining a size limit for the Range header, e.g.
Header: Range Size Limit: 25
You can also use appcmd.exe to configure this request filter:
%SystemRoot%\System32\inetsrv\appcmd.exe set config -section:requestFiltering /+"requestLimits.headerLimits.[header='Range',sizeLimit='25']"
This will create a rule for all requests containing the Range header with a bytes value consisting of 25 or more characters for its value. Request with requests with a Range header value of more than 25 characters will get a HTTP 404 response.
Filed under: Exchange Tagged: Hotfix, IIS
from Exchange News Full Article
No comments:
Post a Comment