Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Microsoft IIS Request Header Buffer Overflow Vulnerability (MS10-065)

Subscribe

Check Point Reference: CPAI-2010-261
Date Published:
Preemptive Since:
Severity:
Source: Microsoft Security Bulletin MS10-065
Industry Reference(s): CVE-2010-2730
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Internet Information Services 7.5 on:
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 (Itanium)
Vulnerability Description
A buffer overflow vulnerability has been reported in Microsoft Internet Information Services (IIS) with FastCGI enabled. IIS is a collection of Internet services packaged with several versions of the Windows operating system. FastCGI for IIS enables popular application frameworks that support the FastCGI protocol to be hosted on the IIS web server. A remote attacker could use this issue to execute arbitrary code on an affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-065 
Vulnerability Details
The vulnerability is due to an error in the way Internet Information Services with FastCGI enabled handles request headers. An attacker may exploit this issue by crafting an HTTP request and sending it to the vulnerable service. Successful exploitation of this vulnerability would allow the attacker to take complete control of the affected system.

Protection Overview
This protection will detect and block HTTP requests attempting to exploit this vulnerability. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Protocol Inspection.  
2. In the right pane, double-click the HTTP Format Sizes protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Select the Max number of headers checkbox and configure it to 17. Note that this may cause false positives by also blocking legitimate traffic.
5. You can apply the protection to all HTTP traffic or to selected web servers.
6. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: HTTP Format Sizes
Attack Information: Number of HTTP headers exceeded allowed maximum number

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence HTTP Protocol Inspection HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Select the Max number of headers checkbox and configure it to 17. Note that this may cause false positives by also blocking legitimate traffic.
4. You can apply the protection to all HTTP traffic or to selected web servers.
5. Install policy on all modules. 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: HTTP Format Sizes
Attack Information: Number of HTTP headers exceeded allowed maximum number

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the IIS Attacks protection group
3. Click Microsoft IIS FastCGI Header Overflow (MS10-065) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

 
Alert Name: Attacks against IIS web servers
 Description: Microsoft IIS FastCGI Header Overflow (MS10-065)