Microsoft has just released a security bulletin about a new vulnerability in ISA Server 2006. This bulletin is rated as Important and could allow elevation of privilege if an attacker successfully exploit it.
This vulnerability affects all ISA Server 2006 versions (SE/EE) in RTM (Release To Manufacturing), SU (Supportability Update) or SP1 (Service Pack 1) that are using Forms-Based authentication validated against a Radius OTP (One Time Password) server and using Kerberos Constrained Delegation.
The attacker who successfully exploit this vulnerability may be able to impersonate user accounts. If that happens, then the attacker will be able to access the same content the impersonated user has.
ISA Server 2006 Authentication
By default, when forms-based authentication cannot be used with a specific client, ISA requires basic authentication instead. This was one of the new features
introduced on ISA Server 2006. For more information, see Authentication in ISA Server 2006 technet article.
To workaround this vulnerability you can run the script provided on the KB938966. The script will disable the fall-back mechanism in the web listener configured with RADIUS OTP.
If the ISA Server is not set up with RADIUS OTP and authentication delegation with KCD, then it is not vulnerable.
Download the ISA Server software update for your appropriate version: