Aperçu
A buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0 WebDAV service allows remote attackers to execute arbitrary code by sending a crafted PROPFIND request with an overly long header beginning with 'If <http://'. This vulnerability was actively exploited in the wild and is particularly critical for Windows Server 2003 R2 systems. La vulnérabilité a été divulguée le March 27, 2017. CISA a identifié CVE-2017-7269 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The WebDAV service in Microsoft IIS 6.0 fails to properly validate the length of HTTP request headers, specifically the 'If' header in PROPFIND requests. When a maliciously crafted request containing an excessively long header value prefixed with 'If <http://' is sent to a vulnerable server, it triggers a stack-based buffer overflow in the WebDAV service memory space. This overflow can overwrite the return address on the stack, allowing an attacker to redirect execution to arbitrary code.
La vulnérabilité est classifiée comme CWE-674 (Uncontrolled Recursion) , CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) etCWE-121 (Stack-based Buffer Overflow) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the IIS application pool identity (typically Local System or Network Service). This enables complete compromise of the affected server, including unauthorized access to sensitive data, modification of system files, installation of malware, and disruption of service availability. The vulnerability was actively exploited by ransomware operators and advanced persistent threat (APT) actors in the wild.
Mitigation et contournements
Microsoft released security update MS17-018 (KB4012217) on April 11, 2017. Apply the security patch immediately via Windows Update or download directly from Microsoft Security Updates. For systems that cannot be patched immediately, disable WebDAV service or restrict access to it. Les versions suivantes incluent les correctifs nécessaires : Windows Server 2003 R2 with KB4012217 or later, Windows Server 2003 with KB4012217 or later.
Comme contournements temporaires : disable webdav service if not required by disabling the webdav extension in iis manager or stopping the webdav service (world wide web publishing service).; restrict network access to the iis server using firewall rules, allowing only trusted ip addresses to connect to http/https ports.; implement network-based intrusion detection/prevention systems (ids/ips) configured to detect and block malicious propfind requests with overly long 'if' headers., et use web application firewalls (waf) configured with rules to detect and block webdav propfind requests containing suspicious 'if' header patterns..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
