SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Microsoft Internet Security and Acceleration Server Vendors:   Microsoft
Microsoft ISA Server in SecureNAT Configuration Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1014113
SecurityTracker URL:  http://securitytracker.com/id/1014113
CVE Reference:   CVE-2005-1907   (Links to External Site)
Updated:  Nov 2 2008
Original Entry Date:  Jun 6 2005
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000 SP2
Description:   A vulnerability was reported in Microsoft Internet Security and Acceleration (ISA) Server in the firewall service. A remote user may be able to cause the service to crash in certain situations.

If client computers are configured as SecureNAT clients and generate heavy network traffic via the firewalll, the 'Wspsrv.exe' service may crash.

Wspsrv.exe versions prior than 3.0.1200.411 are vulnerable.

The vendor disclosed this vulnerability and Juha-Matti Laurio reported it to us.
Impact:   A remote user may be able to cause the service to crash in certain situations.
Solution:   The vendor has issued a hotfix, described at:

http://support.microsoft.com/kb/894864/EN-US/
Vendor URL:  support.microsoft.com/kb/894864/EN-US/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (2000)

Message History:   None.

 Source Message Contents
Subject:  Microsoft Internet Security and Acceleration Server 2000 Firewall


- Overview
>From the vendor:
"ISA Server provides transparent support for client computers that have 
no special client software installed, running on any platform or 
operating system, using SecureNAT."

- Description:
There is an access violation error in Microsoft Internet Security and 
Acceleration (ISA) Server's Firewall service's executable file. This 
problem may occur if heavy network traffic from client computers is 
handled by the Firewall service; Wspsrv.exe. It is needed that client 
computers are configured as SecureNAT clients. Finally the Microsoft ISA 
Firewall service may unexpectedly crash and quit.
Versions ISA Server 2000 and ISA Server 2000 Service Pack 2 (SP2) are 
affected (both versions ISA Server Standard Edition; SSE, and ISA Server 
Enterprise Edition; EE, are released).

This can cause a false sense of security and unexpected conditions. 
Server administrator operations is needed to return an ISA server to a 
normal state and Firewall service to work again.
It is possible that the network's protection is not fully working when 
the Microsoft ISA Firewall service is ended.

This can be possibly exploited by a malicuous user in an internal 
network by generating heavy network traffic from his/hers workstation.

NOTE: This issue can be caused if a new server is published behind ISA 
Server 2000 too and later heavy network traffic is generated.

Wspsrv.exe versions prior than 3.0.1200.411 are affected.

Affected component: Wspsrv.exe (ISA Firewall service .exe file)

- Solution:
A hotfix can be obtained by contacting Microsoft Product Support Services:
http://support.microsoft.com/contactus/?ws=support

Users having problems mentioned are urged to contact the vendor for 
information on obtaining an updated file.
NOTE: ISA Server 2000 Service Pack 2 installed is needed to apply this hotfix.

If this is not possible immediately, the following workarounds are 
provided by the reporter:

- Workarounds:
Restrict access from the clients by setting limitations to network 
traffic amount.
Confirm that client computers are configured to use Windows Firewall or 
Internet Connection Firewall (ICF).

- References:
Microsoft Support / Knowledbe Base Article #894864:
"The ISA Firewall service may unexpectedly quit when ISA Server 2000 
experiences heavy network traffic"
http://support.microsoft.com/kb/894864/EN-US/

Microsoft TechNet ISA Server Home Page:
"Microsoft Internet Security and Acceleration (ISA) Server"
http://www.microsoft.com/technet/prodtechnol/isa/default.mspx

Microsoft TechNet:
"Microsoft Internet Security and Acceleration Server 2000 (ISA) 
Technical Overview / Firewall Protection for Secure Internetworking"
http://www.microsoft.com/technet/prodtechnol/isa/2000/evaluate/isatecov.mspx#EHAA

"Microsoft ISA Server 2000, Standard Edition - Installation and 
Deployment Guide"
Chapter 2: Planning Considerations / Assessing Client Requirements
http://www.microsoft.com/technet/prodtechnol/isa/2000/deploy/isastnin.mspx#EGAA

Software: Microsoft ISA Server 2000,
Microsoft ISA Server 2000 SP2

OS: Windows

- Solution status:
Vendor patch

Vendor:
Microsoft Corporation

Vendor homepage:
http://www.microsoft.com/isaserver/

This information was announced by the vendor, and analyzed, collected 
and written to a report by me.


Best regards,
Juha-Matti Laurio, Networksecurity.fi
IT security researcher
<juha-matti.laurio [at] netti.fi>
http://www.networksecurity.fi/
Finland


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC