Azure Web App identified target web site is using IIS and detected that it is out of date - how to change

Tony Tullio 1 Reputation point
2021-04-15T16:30:26.047+00:00

A security scan of a web app running windows has been identified as a High vulnerability. Since this is an old version of the software, it may be vulnerable to attacks. When the Server: Microsoft-IIS/10.0

External References: https://nvd.nist.gov/vuln/detail/CVE-1999-0229
Internet Information Services Other Vulnerability
IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page.
Affected Versions: 10.0
External Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2000-0115

How can we do the following to fix this issue when using Azure web app?

Remedy
Upgrading IIS to a higher version is not a standalone operation. The IIS version depends heavily on the Windows OS version that
you use on your server machine.
If it is not possible to upgrade IIS to a higher version for this type of reason, we strongly recommend that you track and apply the
patches that are published by the vendor.
Please note that all updates and patches for IIS come as Windows Updates. Also, you can select which update package(s) will be
applied.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
672 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Tony Tullio 1 Reputation point
    2021-04-20T14:27:36.323+00:00

    Please see the attached for the 3rd party vulnerability scan:

    89556-livingdonorportalcom-detailed-scan-report-002.pdf

    Request
    GET https://www.livingdonorportal.com/portal-admin/patient-directory HTTP/1.1 (FYI this url is currently not open to the public until we sort out this issue)
    Origin: https://www.livingdonorportal.com
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.39
    45. 0 Safari/537.36
    Sec-Fetch-User: ?1
    Referer: https://www.livingdonorportal.com/
    Cookie: ASP.NET_SessionId=cdf3zhoktpielz0ryxc2pfh2; CMSPreferredCulture=en-CA; .ASPXFORMSAUTH=CBE516
    990AC28B452DAF630AF543B266894ACEC68F4F7FC2205721DF47EBF9D73EC250EE263503C4FD1D34DB4C4C4BB557ED69A2D1
    7964FEA07F0535331455F11094F1BD4751A7CABFC1A017612F427C8C13A174FB4F86C9BE27134E827CC370C2E4AE55861436
    2A524E0C168509CE39DEEB587924C9BE825DC8D617EA6E57AF; CMSPreferredUICulture=en-US; CMSViewMode=0
    Response
    Response Time (ms) : 0 Total Bytes Received : 64668 Body Length : 64340 Is Compressed : No
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    X-AspNet-Version: 4.0.30319
    X-UA-Compatible: IE=Edge
    X-Frame-Options: SAMEORIGIN
    Date: Tue, 30 Mar 2021 20:57:46 GMT
    Cache-Control: private, no-store, must-revalidate
    content-type: text/html; charset=utf-8
    content-HTTP/1.1 200 OK
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    X-AspNet-Version: 4.0.30319
    X-UA-Compatible: IE=Edge
    X-Frame-Options: SAMEORIGIN
    Date: Tue, 30 Mar 2021 20:57:46 GMT
    Cache-Control: private, no-store

    No comments

  2. Ryan Hill 16,076 Reputation points Microsoft Employee
    2021-04-20T22:35:07.063+00:00

    Hi @Tony Tullio ,

    I saw that you've opened a support case. I will tell you that upgrading IIS on a Windows hosted platform is not possible from the consumer standpoint. It is something that is controlled with platform rollouts. You can alternatively, run your website in VM and be in control of updating the OS and feature software.

    However, this vulnerability; I believe, is a false positive being raised because IIS/10.0 is identifiable in the HTTP header. That can theoretically lead to malicious intent; however, I'm not certain how someone could use that to their advantage.

    No comments