Microsoft ISA Server TCP State Limited Denial of Service Vulnerability

(MS09-016, CVE-2009-0077)
Microsoft Internet Security and Acceleration (ISA) Server is prone to a denial of service condition.  Successful exploitation will cause the Web listener to stop responding to new requests.

Vulnerability Details

ISA, originating as Microsoft proxy server, provides application-layer firewalling and Internet access for client systems.

The vulnerability is due to the way the firewall engine handles the TCP state for Web proxy listeners. The Web proxy listener state management fails to handle the session state correctly which leads to orphaned open sessions and can cause a denial of service. A remote attacker could exploit this vulnerability by sending specially crafted network packets to the affected system.  Successful exploitation will result in a denial of service.

Protection

A Check Point protection against this vulnerability has been available since 2004, though the Check Point Sequence verifier. This feature of Check Point’s integrated IPS systems, Check Point SmartDefense, matches the current TCP packet’s sequence number against a TCP connection state. Packets that match the connection in terms of TCP session but have incorrect sequence numbers are either dropped or stripped of data.

No update is required to address this issue. For more information, see the Advisory.