IIS 6.0 Vulnerabilities

About weeks ago, from a private security mailing list I get to know that recent findings on IIS 6 vulnerabilities count is 60! If you were on NTBugTraq mailing list, you might have read that as well. This actually came from Russ Copper's AUSCert presentation about Microsoft Security Bulletins. Russ is the editor for NTBugTraq, a well-known security expert in MS products security. However, I and couple of Security MVPs do not agree with his findings. Here's the short summary about IIS 6.0:

7. I then compared IIS versions. Given the timeframe of the products,the numbers are very different; 
IIS 4.0 = 231 vulnerabilities
IIS 5.0 = 282 vulnerabilities
IIS 6.0 = 60 vulnerabilities

I went on to say that in the period since W2K3's release, IIS 6.0 boxes were 11% less vulnerable than W2K IIS 5.0 servers. This, however, IMO was largely due to configuration and not a lack of vulnerable code. I said that if you configured any IIS box the way W2K3 IIS 6.0 was configured and you'd get roughly the same security. IOWs, where were the results of the Security Push? Surely the results weren't only a new configuration

The full message thread can be found here. The information given is definitely misleading, so I and Susan were mailing Russ offline questioning about the formula and the method he used to derived the numbers. Now, Russ's formula,

IIS 6.0 = OE6 + IE6 + Media Player 8 + W2K3 + IIS 6.0 specific + IIS 6.0 removable

Therefore, the following bulletins apply to IIS 6.0 boxes;
MS03-004 (2 vulnerabilities)
MS03-014 (1 vulnerabilities)
MS03-015 (7 vulnerabilities)
MS03-017 (1 vulnerabilities)
MS03-020 (2 vulnerabilities)
MS03-026 (1 vulnerabilities)
MS03-032 (5 vulnerabilities)
MS03-033 (1 vulnerabilities)
MS03-034 (1 vulnerabilities)
MS03-039 (2 vulnerabilities)
MS03-040 (3 vulnerabilities)
MS03-041 (1 vulnerabilities)
MS03-043 (1 vulnerabilities)
MS03-044 (2 vulnerabilities)
MS03-045 (1 vulnerabilities)
MS03-048 (5 vulnerabilities)
MS04-001 (1 vulnerabilities)
MS04-003 (1 vulnerabilities)
MS04-004 (5 vulnerabilities)
MS04-006 (1 vulnerabilities)
MS04-007 (1 vulnerabilities)
MS04-011 (8 vulnerabilities)
MS04-012 (3 vulnerabilities)
MS04-013 (1 vulnerabilities)
MS04-014 (1 vulnerabilities)
MS04-015 (1 vulnerabilities)

So he has done his home work. Me and Susan have to do ours, Susan compiled her findings here. If you noticed, the vulnerabilities counts are quite different for some of the security bulletins number. Say MS04-011 for example. Ours are very simple, we count one with each CAN ID we can find in the bulletins list, and Hence MS04-011 is 14. Not 8!

Ok, my turn now, based on his formula and list, I conclude the following with a BRAND new formula:
IIS 6.0 = OE6 + IE6 + Media Player 9 + W2K3 + IIS 6.0 specific + IIS 6.0 removable + Messenger + MDAC + Jet
          = 2+22+0+21+0+0+1+1+1
          = 48

IE(22):
MS03-004(2)+MS03-015(4)+MS03-020(2)+MS03-032(3)+MS03-040(2)+MS03-041(1)+MS03-048(5)+MS04-004(3)

OE(2):
MS03-014(1)+MS04-013(1)

W2k3(21):
MS03-026(1)+MS03-034(1)+MS03-039(3)+MS03-044(1)+MS03-045(1)+MS04-006(1)+MS04-007(1)+MS04-011(7)+MS04-012(4)+MS04-015(1)

Messenger(1):
MS03-043(1)

MDAC(1):
MS04-003(1)

Jet(1):
MS04-014(1)
-------------
Total = 48!!!

Where are the other 12 vulnerabilities? and from his list:
MS03-017(1) Media Player 8?
MP9 comes with Windows Server 2003

MS03-033(1) MDAC
Windows Server 2003 MDAC 2.8 is not affected

MS04-001(1) ISA2k
ISA related to IIS 6 or Windows Server 2003?

It has NOTHING to do with Windows Server 2003, So the above 3 are definitely out of the picture!

Take another look at MS04-011, where it is packed with 14 vulnerabilities, but only 7 is related to Windows Server 2003.
LSASS Vulnerability - CAN-2003-0533
Help and Support Center Vulnerability - CAN-2003-0907
H.323 Vulnerability - CAN-2004-0117
ASN.1 “Double Free” Vulnerability - CAN-2004-0123

IIS 6.0 Related
PCT Vulnerability - CAN-2003-0719
Negotiate SSP Vulnerability - CAN-2004-0119
SSL Vulnerability - CAN-2004-0120

and Russ got 8 for that ? only 3 are related to IIS. and it's not IIS core or removable. it's ASN issues in OS, but the attacking point is via IIS. Now, we also argued about what constitute an IIS 6.0 box, so all the above applies. No doubt. But I have to strongly disagreed his statement of IIS 6 = 60 vulnerabilities.

It would make more sense to say.
Windows Server 2003 = 60 vulnerabilities.
and inside it list down every single vulnerability detail.

Just to summarize, from my findings. I concluded 3 vulnerabilities in IIS 6.0, however, you should take note of other 45, which is related to your W2k3 box (of coz depend on what your have in the box). And as security practise, you ARE not suppose to surf or email from your production box. Oh ya, Harry doesn't like the findings too :)

Next, you might wonder how about other vendor reports on IIS 6 exploits?
Months ago, Micheal howard blog this... saying "IIS ? zero", and one of the comment point to Microsoft Windows Server 2003 / IIS 6 Cross Site Scripting. Yes, you may classify this as 1 vulnerability; however, I didn't hear anything official from Microsoft For this, I would suggest you limit and restrict the usage of HTMLA. FYI, my production boxes don't have such thing.

Another one Microsoft IIS Cookie Variable Information Disclosure, this one related to information review of your web server. No harm I would say. but if you want to stop this, try

- IIS MMC, by disabling 'send detailed asp error message to client'
- Best practices with custom error pages
- disable ASP web service extension if is not needed

So far, these are the only 2 I known, if you found a new one, let me know. And just for the record, AFAIK, Microsoft does not officially address the above 2 incidents.

One more. This is specifically a message to MS, actually this is from Kerry Steele, I have to agreed and it make sense. If you do a search at Security Bulletins Search Page
With IIS 6 as the product, you will get ZERO bulletins.
However, if you try Windows Server 2003 (standard edition), you will get 24 bulletins (As of today!).

This is misleading as well. If there is an exploit related to IIS 6.0, it must be listed. For example MS04-011 the ASN exploits related to IIS 6.0.

Finally, with the above, I hope I can give everyone a clear picture about the current 'vulnerabilities' in IIS 6.0, you can count with whatever formula you wish. But I just want to make things clear here.

Cheers.

Published Thu, Jun 10 2004 10:49 by bernard
Filed under: ,

Comments

# bernard said on 10 June, 2004 12:02 PM
And then there is the obvious component that the number of vulnerabilities can be further reduced by the fact that some of the 21 W2K3 vulnerabilities just do not apply to an IIS 6.0 Server maintained by anyone with sound mind and judgement.

As far as the 22 IE vulnerabilities, how long has it been SOP not to perform casual web browsing from a production server?
# TrackBack said on 10 June, 2004 01:01 PM
# bernard said on 10 June, 2004 09:26 PM
Kudos on a well written post :)

Security is the sum of all the parts and it's only as strong as it's weakest link.

IIS 6.0 (which is yet to have it's first security release) is [b]VERY SECURE[/b]. It represents the fruitition of MS's efforts in strengthening it's security products.

Russ is somewhat correct, in that to build a secure MS Internet or Intranet server, you need to consider all the parts (Windows, IE, etc), and thus you can arrive at dozens of required patches. Still, IIS is just a part and saying that [b]it[/b] has the number of vulnerabilities Russ identified is misleading.

Respectfully, Harry
# bernard said on 11 June, 2004 11:24 PM
Just a quick note in passing on the item "PCT Vulnerability - CAN-2003-0719" - PCT is not enabled by default on Windows Server 2003, and it's difficult to imagine too many situations where an admin would enable it. For the vulnerability to work, PCT would have to be enabled - enabling SSL is not enough.
# bernard said on 12 June, 2004 07:53 PM
Cool. I didn't know that. Thanks Alun.
# bernard said on 19 June, 2004 12:58 AM
Grat article with lots of good info. I would like to script (adsutil.vbs) the change so IIS won't "Send detailed ASP error messages to client" (Default Web Site|Home Directory|Configuration|Debugging Tab). What value do I set in the metabase (AspScriptErrorSentToBrowser)?
Thanks,
# bernard said on 21 June, 2004 10:47 AM
Hi Ray,
Just set it to false, and set AspScriptErrorMessage for the error msgs.
# TrackBack said on 19 October, 2004 01:47 AM

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication