Microsoft Security Bulletin: ISA Server Vulnerability (MS04-039)

Qualys™ Vulnerability R&D Lab has released a new vulnerability check in QualysGuard® to protect organizations against the new Microsoft® vulnerability that was announced earlier today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released one (1) patch as part of their monthly security fixes. This patch addresses a vulnerability found in Microsoft ISA Server. Specific releases and versions impacted are available from Microsoft by clicking here.

Qualys has released a check for this new vulnerability:

Microsoft ISA Server 2000 Internet Content Spoofing Vulnerability
SEVERITY: Medium  2
QUALYS ID: 90196
VENDOR REFERENCE: MS04-039 | 888258
CVE REFERENCE: CAN-2004-0892
THREAT: Microsoft Proxy Server Version 2.0 and ISA Server 2000 cache the results of a reverse lookup and use these results for a forward (normal) lookup. This approach assumes that the hostname received during the reverse lookup is the valid hostname. The first time a reverse lookup is performed for a particular IP address, an attacker could provide a spoofed reverse lookup response for a domain name for which they do not have authority over. If a user then tries to access the resource by using the domain name that is supplied by the attacker, the request is routed to the incorrect IP address instead of being serviced by the valid content owner.
IMPACT: An attacker could spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing a malicious Web site. However, an attacker would first have to persuade a user to visit the malicious site to attempt to exploit this vulnerability.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS04-039 for details.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD: To perform a selective vulnerability scan, configure a scan profile use the following options: Enable scanning of TCP ports 135 and 139 Enable the following Qualys ID: 90196 If you would like the scan to return the Windows Hostname, also include QID 82044 and enable scanning of UDP port 137 In addition, prior to running a scan for this new vulnerability, you can estimate your exposure to this new threat by running the Risk Matrix Report, available from the QualysGuard HOME page.

This new vulnerability check is included in Qualys vulnerability signatures v1.9.87-2. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/