Vulnerability in ISA Server 2006 (970953)

Microsoft has just released a security bulletin about a new vulnerability in ISA Server 2006. This bulletin is rated as Important and could allow elevation of privilege if an attacker successfully exploit it.
Affected Softwares
This vulnerability affects all ISA Server 2006 versions (SE/EE) in RTM (Release To Manufacturing), SU (Supportability Update) or SP1 (Service Pack 1) that are using Forms-Based authentication validated against a Radius OTP (One Time Password) server and using Kerberos Constrained Delegation.
The attacker who successfully exploit this vulnerability may be able to impersonate user accounts. If that happens, then the attacker will be able to access the same content the impersonated user has.
ISA Server 2006 Authentication
By default, when forms-based authentication cannot be used with a specific client, ISA requires basic authentication instead. This was one of the new features
introduced on ISA Server 2006. For more information, see Authentication in ISA Server 2006 technet article.
To workaround this vulnerability you can run the script provided on the KB938966. The script will disable the fall-back mechanism in the web listener configured with RADIUS OTP.
If the ISA Server is not set up with RADIUS OTP and authentication delegation with KCD, then it is not vulnerable.
Software Update
Download the ISA Server software update for your appropriate version:
Paulo Oliveira.
This entry was posted in ISA Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s