A guide to the IIS WebDAV vulnerability

ID THREATPOST:EC55500DAF9E1467C9C94C82758F810C
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:39:07


Even for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It’s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, Steve Friedl of Unixwiz.net has taken the time to make some sense of it all.

Friedl, a security consultant, put together a flow chart that helps administrators figure out whether their Web servers are vulnerable. His key piece of advice is, if you’re not sure whether your servers are at risk, find an expert who can test your machines and give you a definitive answer.

The vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems are getting hacked with this, and it’s important to assess your local security posture and take steps to mitigate exposures that are discovered.

Microsoft published information on this in their Security Advisory (971492), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the “not vulnerable” stage if that’s indeed the case.

Most systems are likely not vulnerable, but unless the flowchart below leads to “You are not vulnerable”, we strongly recommend seeking local expertise to help assess your situation properly.

As Friedl and others have noted, attackers are actively exploiting the IIS WebDAV vulnerability, and as there’s no patch available yet, it’s vital that enterprises take a close look at their Web servers to see whether they’re vulnerable. Microsoft officials have said they’re investigating the vulnerability and it would not be surprising to see an out-of-band patch for IIS, given the seriousness of the problem.