Security Bulletin

Microsoft Security Bulletin MS01-016 - Critical

Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources

Published: March 08, 2001 | Updated: June 23, 2003

Version: 2.2

Originally posted: March 08, 2001
Updated: June 23, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® Internet Information Services 5.0

Impact of vulnerability:
Denial of service

Recommendation:
System administrators using Microsoft® Internet Information Services 5.0 should apply the patch listed below.

Affected Software:

  • Microsoft Internet Information Services 5.0

General Information

Technical details

Technical description:

WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server.

The original version of this bulletin provided a workaround (discussed in Knowledge Base article Q241520) that would protect affected systems by disabling WebDAV services. However, a security patch is now available that eliminates the vulnerability, and Microsoft recommends using the patch rather than the workaround.

The patch should be applied to all machines running IIS 5.0. While this obviously includes web servers, it's worth noting that IIS 5.0 may be running on other types of servers as well, particularly mail servers running Exchange 2000.

Mitigating factors:

  • The effect of an attack via this vulnerability would be temporary. The server would automatically resume normal service as soon as the malformed requests stopped arriving.
  • The vulnerability does not provide an attacker with any capability to carry out WebDAV requests.
  • The vulnerability does not provide any capability to compromise data on the server or gain administrative control over it.

Vulnerability identifier: CAN-2001-0151

Tested Versions

Microsoft tested IIS 5.0 to assess whether it was affected by this vulnerability. WebDAV did not ship in IIS 4.0 or any prior versions.

Frequently asked questions

What's the scope of this vulnerability?
This is a denial of service vulnerability. If an attacker exploited this vulnerability against an affected server, she could temporarily prevent it from providing web services. The effect of an attack via this vulnerability would only last as long as a continuous stream of requests was directed at an affected server, after which point normal service would automatically resume. The vulnerability does not provide any means to add, delete or change data on the server, or usurp administrative control over it.

What causes the vulnerability?
The vulnerability results because WebDAV does not correctly process a request that has been malformed in a particular way. By sending a continuous stream of such requests, even at a relatively low rate, all of the server's CPU availability could be consumed.

What is WebDAV?
To explain what WebDAV is, we first need to discuss HTTP. HTTP, or Hypertext Transfer Protocol, is the industry standard protocol by which web content is communicated. It enables clients to request web content, and enables web servers to either supply the content or tell the client why it was unable to supply it. WebDAV is an extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning", and it adds a capability for authorized users to remotely add and manage content on a web server. WebDAV is fully supported in Windows 2000 and ships as part of the product.

What's wrong with WebDAV?
WebDAV does not properly handle a particular type of specially malformed request. If a continuous stream of such requests were sent to an affected server, it could degrade the server's performance to the point where it would be unable to perform useful work.

What would this enable an attacker to do?
An attacker could use this vulnerability to temporarily disrupt service on an affected server. During such an attack, the server would be unable to service existing HTTP sessions or accept new ones.

How long would the effect of an attack last?
The effect of the attack would only last as long as the attacker continued directing malformed WebDAV requests at the server. Once the requests stopped arriving, the server would resume normal operation. It would not be necessary for the operator to take any action.

Isn't this a flooding attack?
No. The scenario here is similar to a flooding attack, in the sense that it involves the attacker sending a continuous stream of requests. However, in a flooding attack, it's usually necessary for the attacker to expend about the same quantity of resources as those she wants to deny on the server. For instance, flooding attacks frequently require the attacker to dedicate a machine for each server she wishes to attack. In this case, however, the attacker would have to expend relatively few resources in order to attack an affected machine.

Who could exploit the vulnerability?
The only prerequisite for exploiting the vulnerability is the ability to deliver the malformed WebDAV requests to an affected server. It would not be necessary for the attacker to authenticate to the machine.

Would this vulnerability enable an attacker take any action on an affected system?
No. This is strictly a denial of service vulnerability. There is no capability to use this vulnerability to compromise data on the system or to take any kind of administrative action on it.

Is WebDAV installed and running by default?
Yes. WebDAV is installed by default on IIS5 web servers.

Does this vulnerability affect IIS 4.0?
No. WebDAV did not ship as part of IIS4.0.

Are any other servers affected by this vulnerability?
Exchange 2000 Server utilizes IIS 5.0 to provide Outlook Web Access(OWA) services. Exchange 2000 Servers providing OWA services should consider installing this patch to protect their IIS 5.0 services from this vulnerability.bb

When this bulletin was originally released, it provided a workaround rather than a patch. If I applied the workaround, do I need the patch?
The workaround (discussed in Microsoft Knowledge Base article Q241520) is an effective way to defend against this vulnerability, and customers can use it if desired. In particular, customers who are using a language version for which a patch isn't yet available may wish to continue using the workaround. In general, however, it's better to use the patch than the workaround. The patch corrects the flaw in WebDAV, where the workaround disables it completely. While disabling WebDAV wouldn't prevent an IIS or Exchange server from offering web services, it would prevent WebDAV requests from being processed, and this could cause the loss of features like the following:

  • Web Folders 
  • Publishing to the website using Office 2000 (but not via FrontPage Server Extensions)
  • Monitoring an IIS 5.0 server via Digital Dashboard

I've already implemented the workaround, but I'd like to apply the patch. How can I return my system to the state it was in before I applied the workaround?
If you've applied the workaround and would now like to apply the patch and re-enable WebDav, refer to "Steps to Re-enable WebDAV" in KB article Q241520.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows 2000 Gold and Service Pack 1.

Inclusion in future service packs:

This fix will be included in Windows 2000 Service Pack 2.

Superseded patches:

This patch supersedes the one provided in Microsoft Security Bulletin MS01-014.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\291845.

  • To verify the individual files in the patch, use the date/time and version information provided in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\291845\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches are also available from the WindowsUpdate web site

Other information:

Support:

  • Microsoft Knowledge Base article 291845 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Microsoft Knowledge Base article Q241520 discusses a workaround for this vulnerability.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (March 08, 2001): Bulletin Created.
  • V2.0 (March 13, 2001): Bulletin was originally issued with workaround information; revised on this date to reflect availability of a patch.
  • V2.1 (April 20, 2001): Bulletin updated to provide information on superseded patch.
  • V2.2 (June 23, 2003): Updated Windows Update download links.

Built at 2014-04-18T13:49:36Z-07:00