SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Microsoft Internet Security and Acceleration Server Vendors:   Microsoft
Microsoft Internet Security and Acceleration Server OTP Authentication Bug Lets Remote Users Access Resources
SecurityTracker Alert ID:  1022547
SecurityTracker URL:  http://securitytracker.com/id/1022547
CVE Reference:   CVE-2009-1135   (Links to External Site)
Date:  Jul 14 2009
Impact:   Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2006, 2006 Supportability Update, 2006 SP1
Description:   A vulnerability was reported in Microsoft Internet Security and Acceleration Server. A remote user can access published resources on the target system.

When ISA Server 2006 is configured for Radius One Time Password (OTP) authentication, the system attempts to authenticate using the HTTP-Basic method instead of Radius OTP. A remote user with knowledge of a valid username can authenticate to the ISA Server.

Impact:   A remote user can access published resources on the target system.

A remote user can access systems that rely on ISA Server web publishing rules for access control.

Solution:   The vendor has issued the following fixes:

Microsoft Internet Security and Acceleration Server 2006:

http://www.microsoft.com/downloads/details.aspx?familyid=c4e9b1dd-526d-407b-bc23-ebc2738b1b19

Microsoft Internet Security and Acceleration Server 2006 Supportability Update:

http://www.microsoft.com/downloads/details.aspx?familyid=e8ccd770-a925-411c-b994-78e4cf5c3476

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=e536cfed-c1af-4868-b2ac-79178d6355a5

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-031.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-031.mspx (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC