Vulnerability in ISA Server 2006 (970953)

Hi,
 
Microsoft has just released a security bulletin about a new vulnerability in ISA Server 2006. This bulletin is rated as Important and could allow elevation of privilege if an attacker successfully exploit it.
 
Affected Softwares
 
This vulnerability affects all ISA Server 2006 versions (SE/EE) in RTM (Release To Manufacturing), SU (Supportability Update) or SP1 (Service Pack 1) that are using Forms-Based authentication validated against a Radius OTP (One Time Password) server and using Kerberos Constrained Delegation.
 
The attacker who successfully exploit this vulnerability may be able to impersonate user accounts. If that happens, then the attacker will be able to access the same content the impersonated user has.
 
ISA Server 2006 Authentication
 
By default, when forms-based authentication cannot be used with a specific client, ISA requires basic authentication instead. This was one of the new features
introduced on ISA Server 2006. For more information, see Authentication in ISA Server 2006 technet article.
 
Workaround
 
To workaround this vulnerability you can run the script provided on the KB938966. The script will disable the fall-back mechanism in the web listener configured with RADIUS OTP.
 
If the ISA Server is not set up with RADIUS OTP and authentication delegation with KCD, then it is not vulnerable.
 
Software Update
 
Download the ISA Server software update for your appropriate version:
 
 
 
Regards,
Paulo Oliveira.
Advertisements
This entry was posted in ISA Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s