IIS Zero Day Vulnerability Will Likely Never be Patched

A vulnerability found in Microsoft’s Internet Information Services (IIS) web server technology has been publicly detailed along with proof of concept exploit code.

Threat ID:: CC-1303
Category:: DOS, Exploit
Threat Severity:: Low
Threat Vector:: Zero day
Published:: 4 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability found in Microsoft’s Internet Information Services (IIS) web server technology has been publicly detailed along with proof of concept exploit code.

Threat details

It is understood to have been under attack since July 2016. The flaw itself is found on IIS version 6.0. It reached end of life in July 2015 meaning it will likely not be patched which will leave all remaining servers that are yet to upgrade with the potential of a complete system compromise. The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service for IIS 6. The flaw itself is found within the WebDAV service, an extension to the [http] protocol designed to simplify sharing and content authoring.

An attack launched against a vulnerable server can cause a denial of service event but it could also result in a full remote code execution exploit.. With many IIS deployments running on a full Windows server installation often hosting other services for internal services, a break of this nature is capable of allowing a threat actor to gain a serious foothold in the network.

Remediation steps

Type	Step
	Either upgrade IIS or disable WebDAV as soon as possible. Conduct scans of your own address space either internally or with the use of a third party to discover any previously forgotten deployments that may be left vulnerable. Where vulnerable deployment have been available from the internet, access logs and other log data source should be analysed for unusual activity that may indicate a previous compromise.

Type

Step

Either upgrade IIS or disable WebDAV as soon as possible.
Conduct scans of your own address space either internally or with the use of a third party to discover any previously forgotten deployments that may be left vulnerable.
Where vulnerable deployment have been available from the internet, access logs and other log data source should be analysed for unusual activity that may indicate a previous compromise.

Last edited: 17 February 2020 11:32 am