CERT-In Vulnerability Note CIVN-2009-54
Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Denial of Service vulnerabilities

Original Issue Date:April 15, 2009

Severity Rating: Medium

Systems Affected

• Forefront Threat Management Gateway, Medium Business Edition
• ISA Server 2006 Standard Edition SP1 and prior
• ISA Server 2006 Enterprise Edition SP1 and prior
• ISA Server 2004 Enterprise Edition SP3
• ISA Server 2004 Standard Edition SP3

Overview

Two vulnerabilities have been reported in Microsoft ISA server and Forefront Threat Management Gateway (Medium Business Edition) which could cause denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

Description

Microsoft Internet Security and Accelerating Server (ISA server) originating as Microsoft Proxy Server, is a Firewall & Security product that provides Application-Layer Firewalling, acts as a VPN endpoint, and provides Internet Access for client systems in a Business Networking environment.

Threat Management Gateway (TMG) Medium Business Edition is a critical security and protection component of Windows Essential Business Server, and has been designed to help provide comprehensive threat management, secure Internet access, and secure remote access for small to medium size organizations.

1. Web Proxy TCP State Limited Denial of Service Vulnerability     (CVE-2009-0077)

This vulnerability exists due to errors in proxy session management. The firewall engine state management does not handle the session state correctly for Web listeners. This limitation could lead to orphaned open sessions that can cause a denial of service.

An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious network request to the application. When establishing an open session, the application may not close. Repeated attacks could exhaust available sessions, preventing authorized users from establishing new connections, resulting in a DoS condition.

2. Cross-Site Scripting Vulnerability (CVE-2009-0237)

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG,
"cookieauth.dll", due to improper input validation of the HTTP stream.

The parser fails to filter malicious HTML or script code that is supplied as part of an HTTP GET request sent to the affected server.

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious web page or follow a malicious link.  Such a link could be supplied via e-mail, instant message, or other form of messaging.  If successful, the attacker could gain the ability to execute arbitrary HTML or script code in the user's browser session within the security context of the affected site.

Solution

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx
http://support.microsoft.com/kb/961759

Cisco Security Center
http://tools.cisco.com/security/center/viewAlert.x?alertId=18007
http://tools.cisco.com/security/center/viewAlert.x?alertId=18008

ISS X-FORCE
http://xforce.iss.net/xforce/xfdb/49567

Secunia
http://secunia.com/advisories/34687/

CVE Name
CVE-2009-0077
CVE-2009-0237

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003