|
|
|
|
| |
| This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability details section of this bulletin. This vulnerability could enable an attacker to spoof trusted Internet content. |
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx
|
| |
Affected Software:
Microsoft Proxy Server 2.0 Service Pack 1 - Download the update
Microsoft Internet Security and Acceleration Server 2000 Service Pack 1 and Microsoft Internet Security and Acceleration Server 2000 Service Pack 2 - Download the update
Note The following software programs include Microsoft Internet Security and Acceleration Server 2000 (ISA Server 2000). Customers using these software programs should install the provided ISA Server 2000 security update.
* Microsoft Small Business Server 2000
* Microsoft Small Business Server 2003 Premium Edition
Non-Affected Software:
* Microsoft Internet Security and Acceleration (ISA) Server 2004
CVE Information:
Spoofing Vulnerability - CAN-2004-0892
Mitigating Factors:
* This vulnerability would not allow an attacker to spoof an SSL certificate. An attacker would not be able to successfully use SSL certificates that belong to other domain names. For example, a spoofed Web site cannot use a trusted Web site s SSL certificate to establish an SSL session with a user. If a spoofed Web site tries to do this, authentication fails and the user receives a warning message.
* An attacker would first have to persuade a user view content that causes a reverse lookup to occur. For example, an attacker could persuade a user to visit the attacker s Web site by using an IP address that would cause a reverse lookup to occur.
* Systems that enable the default Site and Content rule permitting All traffic to All Destinations are not affected by this vulnerability. However this rule is generally disabled as a security best practice guideline and we do not recommend enabling to help mitigate this issue vulnerability.
Workarounds:
* Set the DNS Cache size to zero on the affected software.
* Setting the DNS Cache size to zero effectively disables DNS caching on the affected system. This would prevent the affected software from using potentially spoofed data from the cache. This may have negative performance impact on DNS resolution. This should only be done on systems that are not able apply the security update as a short term workaround. See Microsoft Knowledge Base Article 889189 for detailed instructions on how to perform this procedure.
* If you suspect that your system has been effected by attempts to exploit this vulnerability, you can clear the web proxy cache to help remove the suspected malicious content. Microsoft Knowledge Base Article 889189 provides detailed instructions on how to perform this procedure.
FAQ:
Why was this security bulletin updated on November 9, 2004?
After the release of the MS04-039 security bulletin, Microsoft became aware of an issue affecting ISA Server 2000 customers deploying the German language version of the security update. The originally released version of the ISA Server 2000 German language security update required ISA Server 2000 Service Pack 2. The updated version of the ISA Server 2000 German language security update can be installed on ISA Server 2000 systems using ISA Server 2000 Service Pack 1 or ISA Server 2000 Service Pack 2. This issue only affected the German language version of the security update. The original version of this security update did protect against the vulnerability described in this security bulletin. Customers using the German language version of ISA Server 2000 Service Pack 2 who successfully installed the originally released security update do not need to take any action.
What is the scope of the vulnerability?
This is a spoofing vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site. However, an attacker would first have to persuade a user to visit the attacker's site to attempt to exploit this vulnerability.
What causes the vulnerability?
The method that the affected software uses to cache reverse lookup results.
What is a reverse lookup?
In DNS, a reverse lookup is a query process by which the IP address of a host computer is searched to find its friendly DNS domain name. For more information about reverse lookup, visit the following Web site.
What is wrong with way that the affected products cache reverse lookup results?
Proxy Server 2.0 and ISA Server 2000 cache the results of a reverse lookup and use that result for a forward (normal) lookup. This approach assumes that the hostname received during the reverse lookup is the valid hostname. The first time a reverse lookup is performed for a particular IP address, an attacker could provide a spoofed reverse lookup response for a domain name that they are not authoritative over. If a user then tries to access the resource by using the domain name that is supplied by the attacker, the user s request would be routed to the incorrect IP address instead of being serviced by the valid content owner.
What is Proxy Server 2.0?
Proxy Server 2.0 acts as a gateway to the Internet for client computers. A proxy server generally acts as an intermediary between a private network and the Internet. Proxy Server 2.0 also caches Internet content for internal users to increase performance and to reduce outgoing network bandwidth.
What is ISA Server 2000?
ISA Server 2000 provides both an enterprise firewall and a high-performance Web cache. The firewall helps protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The Web cache helps improve network performance by storing local copies of frequently-requested Web content. ISA Server can be installed in three modes: firewall mode, cache mode, or integrated mode.
Firewall mode allows an administrator to secure network communication by configuring rules that control communication between the corporate network and the Internet. Cache mode improves network performance by storing frequently accessed Web pages on the server itself. In integrated mode, all cache and firewall features are available.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content such as a malicious Web site. Web sites as well as other types of Internet content could be spoofed if an attacker is successfully able to exploit this vulnerability.
Who could exploit the vulnerability?
Any anonymous user who could display a specially crafted Web page to a client using the ISA Server 2000 or Proxy Server 2.0 system could attempt to exploit this vulnerability.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content using banner advertisements or other ways to deliver Web content to clients of the ISA Server 2000 or Proxy Server 2.0 system.
Even if an attacker is able to display the malicious Web content to a client of the ISA Server 2000 or Proxy Server 2.0 system, the attacker would then have to craft the malicious response to the requesting ISA Server 2000 or Proxy Server 2.0 system to spoof the reverse lookup.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the affected products cache reverse lookup results.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
