Microsoft Security Bulletin MS03-009

Technical description:

Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. Application filters allow ISA Server to analyze a data stream for a particular application and provide application-specific processing including inspecting, screening or blocking, redirecting, or modifying the data as it passes through the firewall. This mechanism is used to protect against invalid URLs which may indicate attempted attacks as well as attacks against internal Domain Name Service (DNS) Servers.

A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests.

An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected.

Mitigating factors:

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0011 

Tested Versions:

Microsoft tested Proxy Server 2.0 and ISA Server to assess whether these versions are affected by this vulnerability.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause an ISA Server to stop sending incoming Domain Name Service (DNS) requests to a published DNS server. Restarting the ISA Server service would allow DNS server publishing and DNS intrusion detection to function correctly again; however the server would remain vulnerable to another denial of service attack.

Could an attacker use the vulnerability to take control of an ISA Server computer?
No. This is a denial of service attack only. There is no capability to usurp any administrative privileges.

Could an attacker use the vulnerability to breach the security of the firewall?
No. There is no capability to use this vulnerability to lower the security the firewall provides. It can only be used to prevent the ISA Server from passing any further DNS requests to the published DNS server.

Could an attack that attempted to exploit this vulnerability be launched from the Internet?
Yes, the specially formed request could be sent from the Internet to a computer running ISA Server.

What is ISA Server?
ISA Server provides both an enterprise firewall and a high-performance web cache. The firewall protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The web cache helps improve network performance by storing local copies of frequently-requested web content.

What is Domain Name Service (DNS)?
Domain Name Service (DNS) is a service that resolves a domain name to an IP address. For instance, a client computer wishing to visit the website http://www.microsoft.com must first resolve the domain name "microsoft.com" to its Internet IP address. This is done by contacting a DNS server.

What is DNS server publishing?
DNS server publishing allows an administrator to configure ISA Server to send DNS name resolution requests from an external network to an organization's internal DNS server.

What is the DNS intrusion detection filter?
When configured for DNS server publishing, the DNS intrusion detection filter scans incoming DNS requests before they are passed on to an internal DNS server for processing. This filter scans incoming requests to protect against certain forms of remote attack.

What's wrong with ISA Server's DNS intrusion detection filter?
The DNS intrusion detection filter doesn't correctly handle a particular type of DNS request under a specific circumstance. If such a request were received, it could cause the DNS server publishing feature to stop responding. Normal intrusion detection of other requests and all other ISA Server operations would be unaffected.

How great a threat does this vulnerability pose?
It depends on whether DNS server publishing feature is enabled. By default, it's disabled. However, if it were enabled, any Internet user could potentially exploit this vulnerability to cause the DNS server publishing feature to stop responding. DNS requests received after the occurrence of a successful exploit would be stopped at the firewall and would not pass into the network.

What does the patch do?
The patch eliminates the flaw by ensuring the DNS intrusion detection filter properly processes DNS requests.

Download locations for this patch Microsoft ISA Server:

Installation platforms: This patch can be installed on systems running ISA Server Service Pack 1 or ISA Server Feature Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in the next ISA Server service pack.

Reboot needed: No

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\256.

Alternatively you can perform the following steps to verify patch installation:

1.	Click Start, Settings, Control Panel.
2.	Double-click Add/Remove Programs.
3.	Click Microsoft ISA Server 2000 Updates.
4.	Click Change.
5.	Open the drop down menu.

If ISA Hot Fix 256 appears, the patch has been successfully installed.

To verify the individual files, use the date/time and version information provided in Knowledge Base article 331065.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section