Last Updated on January 13, 2024
Let’s put aside the fact that Microsoft ended support for Windows Server 2003 years ago. The latest issue of concern with this legacy server environment (CVE-2017-7269) is a newly announced buffer overflow vulnerability in Internet Information Server (IIS) 6. If successfully exploited, it could allow a remote attacker to execute arbitrary code on the server. If unsuccessful, it will result in a denial-of-service (DoS) condition.
The CVE was only announced this week (3/27/2017) and is still being reviewed by several entities, including NIST. However, it was seen in the wild as far back as July or August 2016. The server vulnerability is exploited by sending a PROPFIND request with specially crafted header beginning with “If: <https://”. PROPFIND is a Microsoft WebDAV method (like GET or POST) used to retrieve XML property documents from a web server.
What should you do if you’re still running Windows Server 2003?
Obviously, the most secure option is to retire any Windows Server 2003 still running on your network. If that is not an option, there are a few things you can do to reduce the risk a bit.
- Disable the web server.
- Restrict access via a firewall to only trusted source hosts, preferably internal only.
- Place an inspecting web application firewall in front of the web server.
- Use URIScan to disable the PROPFIND verb. You should also disable:
- PROPPATCH
- MKCOL
- DELETE
- PUT
- COPY
- MOVE
- LOCK
- UNLOCK
- OPTIONS
- SEARCH
There are likely other ways to mitigate these attacks and your server vulnerability. However, again, the best option is to retire any Windows Server 2003 machine.
For specific questions about your unique situation, reach out to Pivot Point Security.