- These vulnerabilities affect: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
- How an attacker exploits them: By sending specially crafted FTP commands or accessing a local log file
- Impact: In the worst case, a local attacker can learn the credentials for a local account
- What to do: Deploy the appropriate IIS update at your earliest convenience
Internet Information Services (IIS) is the popular Web and FTP server that ships with all server versions of Windows.
In a security bulletin released today as part of Patch Day, Microsoft describes two relatively minor information disclosure vulnerabilities that affect the popular web server and its optional FTP server.
The first is a local credential disclosure vulnerability due to an unprotected log file. Basically, a particular IIS log file stores the credentials for a configured user in clear text. If an attacker can already log into your IIS server, they can learn the credentials of your configured IIS users. Granted, if an attacker can already log into your IIS server, you have bigger problems to solve.
The second issue is an unspecified FTP command injection vulnerability. Microsoft doesn’t describe this flaw in much detail, only saying that an unauthenticated attacker can execute a limited set of FTP commands on IIS servers, by sending specially crafted FTP commands. The attack works even if you do not enable “anonymous” FTP access. According to Microsoft’s bulletin, a malicious client can leverage this vulnerability to “obtain information disclosure on a vulnerable system.” However, they don’t really say what information the attacker can disclose; whether it be access to the files on the FTP site or some other information. Since the IIS FTP service is not enabled by default, and Microsoft only rates this flaw as Moderate, it doesn’t sound that severe.
That said, we still recommend you download, test, and deploy Microsoft’s IIS updates at your earliest convenience.
Microsoft has released IIS updates to correct these vulnerabilities. If you manage IIS servers, download, test, and deploy the corresponding update at your earliest convenience.
For All WatchGuard Users:
Since at least one of these attacks is a local-only threat, which a gateway appliance can’t prevent, we recommend you apply the updates described above.
Microsoft has released patches to fix these vulnerabilities.