==
Defcom Labs Advisory def-2001-16
Internet Acceleration Server Event DoS
Authors: Peter Grndl [EMAIL PROTECTED]
Andreas Sandor [EMAIL PROTECTED]
Release Date: 2001-04-02
==
=[Brief Description]=-
If an alert action has been chosen in the ISA server console, a
malicious attacker can cause a Denial of Service situation on the ISA
server.
=[Affected Systems]=--
- Internet Acceleration Server for Windows 2000 Server
--=[Detailed Description]=
By default the log settings on the Windows 2000 server are not set to
overwrite the log files as needed, and since the installation of the
ISA server does not change these settings, this is also the case with
the ISA server. If you enable the "Event Log Failure" option in the
ISA console, an attacker can send in any kind of spoofed packets that
will trigger event logs and cause the ISA server to start spawning a
CMD.EXE for each event log failure. This will result in the server
running very slowly and consuming all available memory.
This will go on even after the ISA server is rebooted until the event
log is cleaned.
We used ISIC to create a flood of spoofed, random packets:
http://www.packetfactory.net/Projects/ISIC/
Whether you chalk this one up as a security vulnerability or not, it
is still a potential problem that should be given attention if you
set up an "Internet Security and Acceleration" Server.
---=[Workaround]=-
Make sure your log file is either overwritten as needed or that you
have the "event log failure" option disabled in the ISA firewall.
The issue is now described in Q284800 by MSRC:
http://support.microsoft.com/support/kb/articles/q284/8/00.ASP
-=[Vendor Response]=--
This issue was brought to the vendor's attention on the 20th of
February, 2001. The vendor replied:
"There are two issues here: the particular alert action (i.e., opening
the command prompt in response to the log becoming full), and the fact
that the alert action recurs each time you boot.
* Alert action. By default, there is no alert action selected -- you
have to have enabled alerts. Once they're enabled, the default alert
mechanism is to run a program. This is usually used to run a program
to, for instance, send a mail to the administrator. If you want to,
you can select a different alert mechanism.
* Recurrence. By default, ISA will continue to take the alert action
each time the machine is booted, until the "log full" condition no
longer applies. Again, the idea here is that ISA will give the
administrator a signal that he needs to tend to his logs. You can
reset the recurrence so that the alert action is only take at
predefined intervals, or only after a manual reset of the event log."
Also:
"Thanks for letting me review the draft. I don't see anything in it
that's factually incorrect. However, classifying this as a denial of
service vulnerability seems excessive, don't you think? There isn't
a product flaw here -- the only issue is that if the user
deliberately turns on a feature, but doesn't configure it correctly,
he can hurt the performance of his machine. That is, there isn't any
way for a bad guy to force the admin to turn on the Event Log Failure
option, nor is there any way for him to prevent the admin from
properly configuring it. It seems much more appropriate to discuss
this as an issue of proper use of the product, rather than as a
security vulnerability."
And finally:
"I agree that the right way to use the alert mechanism isn't intuitive,
and that we need to get the word out so folks will use it
appropriately."
==
This release was brought to you by Defcom Labs
[EMAIL PROTECTED] www.defcom.com
==