************************************************************************* Security Bulletin 9817 DISA Defense Communications System July 27, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Microsoft ! ! Product Security Response Team and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Microsoft Security Bulletin (MS98-006) ------------------------------------------------------------------------ Potential Denial-of-Service in IIS FTP Server due to Passive Connections Last Revision: July 23, 1998 Summary ======= Microsoft was recently alerted to an issue with the way the Microsoft(r) Internet Information Server processes passive FTP connection requests. Certain uses of multiple passive FTP connections may result in errors, degrade system performance, and create denial of service situations for both the FTP service and the WWW service running on the same machine. This issue involves a denial of service vulnerability that potentially can be used by someone with malicious intent to cause disruption of service. It cannot be used to crash the FTP server, or any other service running on the targeted system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== When multiple passive connections are made to a single FTP server via the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a machine share a common thread pool, so exhausting the FTP thread pool also will cause connection requests for the WWW service to fail. This vulnerability does not affect other services running on the same system, nor does it cause the FTP or WWW service to crash. Once the passive connections time out, the system performance will return to normal. Server Administrators will see the following error in the System Event Log: FTP Server could not create a client worker thread for user at host 'IPAddress'. The connection to this user is terminated. The data is the error. Clients accessing either the WWW or FTP services might see messages such as the either of the following: - Connection closed by remote host - The FTP session was terminated Affected Software Versions ========================== - Microsoft Internet Information Server 2.0, 3.0, 4.0 What Microsoft is Doing ======================= Microsoft has produced an update for Microsoft Internet Information Server versions 2.0, 3.0 and 4.0. Intel Platforms --------------- IIS 4.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix4i.exe IIS 3.0 and IIS 2.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix3i.exe Alpha Platforms --------------- IIS 4.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix4a.exe IIS 3.0 and IIS 2.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix3a.exe NOTE: Each of the above URLs above is one path; they have been wrapped for readability. What customers should do ======================== Microsoft recommends that customers hosting FTP sites with Microsoft Internet Information Server install the update listed above. Customers who do not use the FTP functionality of IIS do not need to install this update, as this problem only occurs on systems running the FTP service. NOTE: Consider running the WWW and FTP services on separate servers to further decrease the possibility of attacks against the multiple services. NOTE: Although this fix makes it significantly more difficult to mount a denial of service attack against an FTP server, and limits the potential impact and severity of such an attack, it does not make an attack impossible. Malicious use of the PASV FTP command could still exhaust server resources and have a limited effect on the operation of the FTP server. Clients that use passive mode connections to connect to the FTP server may be denied service and clients that are uploading information to the FTP server may be denied service. If this happens, there will be many event log entries of the type shown below. The event log entries will give the user name of the attacker and the IP address that originated the attack. Using this information, the FTP server administrator could choose to deny access to the attacker, or take other appropriate actions. Event Log Entries: - Passive connect from user %1 at host %2 timed out. - File received from user %1 at host %2 timed out. If you are seeing a large number of either of these events, you may be experiencing an attack. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-006, Potential Denial-of-Service in IIS FTP Server due to Passive Connections (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-006.htm - Microsoft Knowledge Base (KB) article Q189262, FTP Passive Mode May Terminate Session, http://support.microsoft.com/support/kb/articles/q189/2/62.asp - Microsoft Knowledge Base (KB) article Q181743, Error Message 426 Trying to Retrieve File from FTP Server, http://support.microsoft.com/support/kb/articles/q181/7/43.asp Revisions ========= - July 23, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.