CSO

Just weeks ago, on May 18th, Microsoft released their Security Advisory 971492 (1), on the vulnerability regarding Internet Information Services, which is Microsoft web server solution. The problem found in the WebDAV extension allows anonymous, remote and unauthorized access to the server, bypassing access and authentication controls.

I would like to explain what WebDAV actually does and then discuss some actions to avoid or mitigate this risk.

WebDAV stands for Web-based Distributed Authoring and Versioning, it is an extension that allows HTTP protocol based remote administration of a web server. What WebDAV does is, it adds functionality to the server, by implementing commands used to create folders, lock and unlock resources, move or copy files. Some common applications that use this module are web content creation and publishing tools and also, it's used in Windows to access "Web Folders" and update files on the servers as if they were in the local machine. For more information on WebDAV, refer to RFC 4918 (2).

The versions of the server that are vulnerable to this issue are: Microsoft Internet Information Services 5.0 (Windows 2000), 5.1 (Windows XP x86) and 6.0 (Windows XP x64 and Server 2003)

This is currently being exploited in the wild and affecting servers all over the world so there are actions that need to be taken to protect our assets. We can expect a security patch next second Tuesday of the month that corrects this flaw, but it is important to remember to keep our Windows machines patched to prevent this and many more vulnerabilities.

To mitigate the impact on this exploit until it's successfully corrected, make sure your file system enforces ACL, so anonymous users could authenticate but be denied file system access according to user privileges, not allowing them to change or write to the server. Consider disabling WebDAV if no applications use it and remember to update your versions.

1. http://www.microsoft.com/technet/security/advisory/971492.mspx
2. http://rfc.net/rfc4918.html