Buffer overflow in IIS WebDAV: Patch it now!
Microsoft has MS03-007 out. The bulletin describes a buffer overflow vulnerability in the WebDAV component of IIS 5.0 on W2K; Windows 2003 and Windows XP aren't affected. The practical effect of this vuln is that an attacker can run code of her choice on your server (at which point it's not really your server anymore.) The worst part is that an exploit for this problem is already circulating.
There are several ways to avoid this problem:
- If you were already running URLScan, you're in good shape. Its whole purpose is to block malformed or bogus requests before IIS ever gets them. If you're not running URLScan, well, why not?
- Go to the download page and download the patch. It's a self-installing executable; after installing it, stop and restart the W3SVC service. You don't need to reboot.
- Go to
Windows Update and scan for the patch. The Windows Update installer may prompt you for a reboot.
- Use the Automatic Updates client to download and install the patch. Unfortunately, this route will prompt you for a reboot, although you can sneak by by killing its process and bouncing the W3SVC service.
- Disable or remove IIS. Obviously you can't do this for your Exchange servers, but other servers may not need IIS. See KB article 321141 for details.
- Disable WebDAV only. This is easy to do.
- Download the URL Buffer Size Registry tool and use it to set the MaxClientRequestBuffer value. Microsoft recommends setting MaxClientRequestBuffer to 16K, but in the same sentence they warn that doing so may break "some programs." In my testing, a setting of 16K didn't seem to interfere with OWA or Exchange, but your environment may have a different mix of requests. I've asked MS for a definitive statement on this; in the meantime, you can either use a larger value or use URLScan, which has templates for OWA. (Side note: of course, by reading KB article 816930 you could make this change yourself, but the tool can scan multiple machines to find those that haven't had this limit applied).
- If you choose to apply MaxClientBufferSize, you should probably also use a group policy setting to apply the registry key and you're in business.
What about long-term solutions? Well, you should definitely be using IIS Lockdown on all your Windows 2000 servers. If you combine that tool with reasonable attention to patches, you will be in relatively good shape. You should aggressively follow up with MBSA scans to check for correct patch installation. In almost all cases, your life will be easier if you deploy the Software Update Service (SUS) to pull patches and stage them for mass installation. When I get a free minute, I'll be writing an article here describing exactly how to use SUS.
In the meantime, if you read and follow the recommendations in chapters 6 and 14 of the book, you can relax.
Posted by Paul at March 18, 2003 08:32 AM