Microsoft ISA Server in SecureNAT Configuration Can Be Crashed By Remote Users
SecurityTracker Alert ID: 1014113|
SecurityTracker URL: http://securitytracker.com/id/1014113
(Links to External Site)
Updated: Nov 2 2008|
Original Entry Date: Jun 6 2005
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2000 SP2|
A vulnerability was reported in Microsoft Internet Security and Acceleration (ISA) Server in the firewall service. A remote user may be able to cause the service to crash in certain situations.|
If client computers are configured as SecureNAT clients and generate heavy network traffic via the firewalll, the 'Wspsrv.exe' service may crash.
Wspsrv.exe versions prior than 3.0.1200.411 are vulnerable.
The vendor disclosed this vulnerability and Juha-Matti Laurio reported it to us.
A remote user may be able to cause the service to crash in certain situations.|
The vendor has issued a hotfix, described at:|
Vendor URL: support.microsoft.com/kb/894864/EN-US/ (Links to External Site)
Source Message Contents
Date: Thu, 2 Jun 2005 00:51:22 +0300 (EEST)|
Subject: Microsoft Internet Security and Acceleration Server 2000 Firewall
>From the vendor:
"ISA Server provides transparent support for client computers that have
no special client software installed, running on any platform or
operating system, using SecureNAT."
There is an access violation error in Microsoft Internet Security and
Acceleration (ISA) Server's Firewall service's executable file. This
problem may occur if heavy network traffic from client computers is
handled by the Firewall service; Wspsrv.exe. It is needed that client
computers are configured as SecureNAT clients. Finally the Microsoft ISA
Firewall service may unexpectedly crash and quit.
Versions ISA Server 2000 and ISA Server 2000 Service Pack 2 (SP2) are
affected (both versions ISA Server Standard Edition; SSE, and ISA Server
Enterprise Edition; EE, are released).
This can cause a false sense of security and unexpected conditions.
Server administrator operations is needed to return an ISA server to a
normal state and Firewall service to work again.
It is possible that the network's protection is not fully working when
the Microsoft ISA Firewall service is ended.
This can be possibly exploited by a malicuous user in an internal
network by generating heavy network traffic from his/hers workstation.
NOTE: This issue can be caused if a new server is published behind ISA
Server 2000 too and later heavy network traffic is generated.
Wspsrv.exe versions prior than 3.0.1200.411 are affected.
Affected component: Wspsrv.exe (ISA Firewall service .exe file)
A hotfix can be obtained by contacting Microsoft Product Support Services:
Users having problems mentioned are urged to contact the vendor for
information on obtaining an updated file.
NOTE: ISA Server 2000 Service Pack 2 installed is needed to apply this hotfix.
If this is not possible immediately, the following workarounds are
provided by the reporter:
Restrict access from the clients by setting limitations to network
Confirm that client computers are configured to use Windows Firewall or
Internet Connection Firewall (ICF).
Microsoft Support / Knowledbe Base Article #894864:
"The ISA Firewall service may unexpectedly quit when ISA Server 2000
experiences heavy network traffic"
Microsoft TechNet ISA Server Home Page:
"Microsoft Internet Security and Acceleration (ISA) Server"
"Microsoft Internet Security and Acceleration Server 2000 (ISA)
Technical Overview / Firewall Protection for Secure Internetworking"
"Microsoft ISA Server 2000, Standard Edition - Installation and
Chapter 2: Planning Considerations / Assessing Client Requirements
Software: Microsoft ISA Server 2000,
Microsoft ISA Server 2000 SP2
- Solution status:
This information was announced by the vendor, and analyzed, collected
and written to a report by me.
Juha-Matti Laurio, Networksecurity.fi
IT security researcher
<juha-matti.laurio [at] netti.fi>