Trend Micro Incorporated, a global provider in security software solutions, said that the Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an ‘IF’ header in a PROPFIND request.
A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application. According to the researchers who found this flaw, this vulnerability was exploited in the wild in July or August 2016. It was disclosed to the public on March 27. Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code.
Web Distributed Authoring and Versioning (WebDAV) is an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations. WebDAV extends the set of standard HTTP methods and headers allowed for the HTTP request. This vulnerability is exploited using the PROPFIND method and IF header.
The affected system reported (by the researcher) is Windows 2003 and IIS version 6. The vulnerability could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header. If successfully exploited, this vulnerability could lead to remote code execution. Sometimes, an unsuccessful attack could still lead to denial of service conditions.
IIS 6.0 was included with Windows Server 2003; unfortunately, Microsoft isn’t supporting and won’t be patching the old OS version anymore. To mitigate the risk, disabling the WebDAV service on the vulnerable IIS 6.0 installation is recommended. Newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.
“Trend Micro Deep Security customers are recommended to apply the DPI rule and the Trend Micro Deep Discovery Inspector protects customers from this threat via the DDI Rule. The TippingPoint customers are protected from attacks exploiting this vulnerability with the DVToolkit CSW,” said Mr. Nilesh Jain, Country Manager (India and SAARC), Trend Micro.
“Trend Micro Deep Discovery enables you to detect, analyse, and respond to today’s stealthy ransomware, and targeted attacks in real time. It can detect targeted attacks and targeted ransomware anywhere in the network. Deep Discovery is optimized for the customer’s network environments. It integrates with and leverages your existing security solutions, whether they’re from Trend Micro or not. It’s designed to seamlessly share intelligence for optimal performance and ROI,” he added.