---------- Forwarded message ---------- Date: Fri, 24 Jul 1998 11:28:23 -0700 From: Microsoft Product Security Response Team <secureat_private> To: MICROSOFT_SECURITYat_private Subject: Microsoft Security Bulletin (MS98-006) Microsoft Security Bulletin (MS98-006) ------------------------------------------------------------------------ Potential Denial-of-Service in IIS FTP Server due to Passive Connections Last Revision: July 23, 1998 Summary ======= Microsoft was recently alerted to an issue with the way the Microsoft(r) Internet Information Server processes passive FTP connection requests. Certain uses of multiple passive FTP connections may result in errors, degrade system performance, and create denial of service situations for both the FTP service and the WWW service running on the same machine. This issue involves a denial of service vulnerability that potentially can be used by someone with malicious intent to cause disruption of service. It cannot be used to crash the FTP server, or any other service running on the targeted system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== When multiple passive connections are made to a single FTP server via the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a machine share a common thread pool, so exhausting the FTP thread pool also will cause connection requests for the WWW service to fail. This vulnerability does not affect other services running on the same system, nor does it cause the FTP or WWW service to crash. Once the passive connections time out, the system performance will return to normal. Server Administrators will see the following error in the System Event Log: FTP Server could not create a client worker thread for user at host 'IPAddress'. The connection to this user is terminated. The data is the error. Clients accessing either the WWW or FTP services might see messages such as the either of the following: - Connection closed by remote host - The FTP session was terminated Affected Software Versions ========================== - Microsoft Internet Information Server 2.0, 3.0, 4.0 What Microsoft is Doing ======================= Microsoft has produced an update for Microsoft Internet Information Server versions 2.0, 3.0 and 4.0. Intel Platforms --------------- IIS 4.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix4i.exe IIS 3.0 and IIS 2.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix3i.exe Alpha Platforms --------------- IIS 4.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix4a.exe IIS 3.0 and IIS 2.0: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ ftp-fix/ftpfix3a.exe NOTE: Each of the above URLs above is one path; they have been wrapped for readability. What customers should do ======================== Microsoft recommends that customers hosting FTP sites with Microsoft Internet Information Server install the update listed above. Customers who do not use the FTP functionality of IIS do not need to install this update, as this problem only occurs on systems running the FTP service. NOTE: Consider running the WWW and FTP services on separate servers to further decrease the possibility of attacks against the multiple services. NOTE: Although this fix makes it significantly more difficult to mount a denial of service attack against an FTP server, and limits the potential impact and severity of such an attack, it does not make an attack impossible. Malicious use of the PASV FTP command could still exhaust server resources and have a limited effect on the operation of the FTP server. Clients that use passive mode connections to connect to the FTP server may be denied service and clients that are uploading information to the FTP server may be denied service. If this happens, there will be many event log entries of the type shown below. The event log entries will give the user name of the attacker and the IP address that originated the attack. Using this information, the FTP server administrator could choose to deny access to the attacker, or take other appropriate actions. Event Log Entries: - Passive connect from user %1 at host %2 timed out. - File received from user %1 at host %2 timed out. If you are seeing a large number of either of these events, you may be experiencing an attack. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-006, Potential Denial-of-Service in IIS FTP Server due to Passive Connections (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-006.htm - Microsoft Knowledge Base (KB) article Q189262, FTP Passive Mode May Terminate Session, http://support.microsoft.com/support/kb/articles/q189/2/62.asp - Microsoft Knowledge Base (KB) article Q181743, Error Message 426 Trying to Retrieve File from FTP Server, http://support.microsoft.com/support/kb/articles/q181/7/43.asp Revisions ========= - July 23, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:55 PDT