Microsoft has issued Service Pack 2 for ISA Server 2000. This includes patches for all previously reported vulnerabilities as well as older hot fixes, where some address potential security issues.
cde0a6316c61f476997a2b12d1eb5ba5efc7734e090b2a60a4e961c5b135579d
TITLE:
Microsoft ISA Server 2000 Various Security Issues
SECUNIA ADVISORY ID:
SA11799
VERIFY ADVISORY:
http://secunia.com/advisories/11799/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Exposure of system information, Exposure of
sensitive information, DoS
WHERE:
>From remote
SOFTWARE:
Microsoft ISA Server 2000
DESCRIPTION:
Microsoft has issued Service Pack 2 for ISA Server 2000. This
includes patches for all previously reported vulnerabilities as well
as older hot fixes, where some address potential security issues.
1) ICMP traffic is not blocked by the ISA Server 2000 while starting
up, even though it has been restricted in the firewall policies. This
allows malicious people to detect the presence of the system during a
short period of time.
2) In certain cases, basic credentials may be sent over external HTTP
connections even though this has been configured as SSL required.
This may potentially disclose sensitive information to certain
people, who are able to intercept the traffic.
3) The web proxy service may crash during the processing of HTTP
redirect actions, when a content rule denies access.
4) Certain site and content rules can be bypassed when access to
specific destinations are denied due to a canonicalization error. The
problem is that a rule may not apply if a user requests an URL with a
period (.) appended to the end.
Example:
http://www.restricted_site.com.
5) Under certain circumstances, a malformed SSL packet may crash the
web proxy when "web publishing" a SSL web site.
SOLUTION:
Apply Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=C8D3D98B-1CD4-406A-A04A-2AA2547D09A3&displaylang=en
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
ISA Server 2000 Service Pack 2 Release Notes:
http://support.microsoft.com/default.aspx?kbid=816460
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------