Vulnerability

CERT-In Vulnerability Note CIVN-2012-0109
Multiple Vulnerabilities in Microsoft Internet Information Services (IIS)

Original Issue Date:November 14, 2012

Severity Rating: LOW

Systems Affected

Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64 based systems Service Pack 2
Windows 7 for 32-bit Systems & SP 1
Windows 7 for x64 based Systems & SP1
Windows Server 2008 R2 for x64 based Systems & SP1
Windows Server 2008 R2 for Itanium based Systems & SP1
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core Installation)
Windows Server 2008 for x64 based Systems Service Pack 2 (Server Core Installation)
Windows Server 2008 R2 for x64 based Systems (Server Core Installation) & SP1

Component Affected

IIS 7.0 on all supported editions of Windows Vista and Windows Server 2008.
IIS 7.5 on all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Overview

Multiple vulnerabilities have been reported in Microsoft Internet Information Services (IIS). These could be exploited by the attacker to access sensitive information on a targeted system.

Description

Password Disclosure Vulnerability ( CVE-2012-2531 )

The vulnerability exists in Microsoft Internet Information Services (IIS) due to which it fails to properly protect log files. A local attacker could exploit this vulnerability by logging in to an affected system and accessing the vulnerable log file. To exploit the vulnerability, attacker requires system account access, trusted users with limited privileges may use this type of vulnerability as part of an insider attack.

Workaround

Disable the "Operational" log for IIS-Configuration before assigning a custom account to an Application Pool, and re-enable the "Operational" log after the account has been associated.
Use Built-in account identities.
Prevent access to EventViewer snap-in to non-Administrators accounts.

FTP Command Injection Vulnerability ( CVE-2012-2532 )

The vulnerability exists in Microsoft Internet Information Services (IIS) FTP service which could allow an authenticated, remote attacker to access sensitive information on a targeted system. A remote attacker could exploit this vulnerability by injecting improperly crafted FTP commands to the targeted system before the session switches to Transport Layer Security (TLS). To exploit this vulnerability, the attacker must have account access. Trusted users with limited privileges may use this type of vulnerability as part of an insider attack.

Solution

Apply appropriate updates as mentioned in Microsoft Security Bulletin MS12-073

Vendor Information

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-073

References

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-073

Security Tracker
http://www.securitytracker.com/id/1027751

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=27353
http://tools.cisco.com/security/center/viewAlert.x?alertId=27354

Secure List
http://www.securelist.com/en/advisories/51235

CVE Name
CVE-2012-2531
CVE-2012-2532

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India