What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable an attacker to disrupt an ISA server, thereby preventing any web traffic from passing through the firewall in either direction. An attacker inside the firewall could exploit the vulnerability under any conditions; an attacker outside the firewall could exploit it only if the Web Publishing feature were enabled, or she were able to convince an internal user to open web content of her choosing.
The vulnerability would not allow the attacker to usurp any administrative control over the firewall, nor would it enable an attacker to breach the security of the firewall. Also, the vulnerability would only provide a way to disrupt the web proxy service - other services would remain in operation. The web proxy service could be restored by restarting it.
What causes the vulnerability?
The vulnerability results because the Web Proxy service in ISA Server doesn't correctly handle particular type of request for web resources, if it exceeds a particular length. If such a request were received, the Web Proxy service would fail with an access violation.
What is ISA Server?
Internet Security and Acceleration (ISA) Server provides both an enterprise firewall and a high-performance web cache. The firewall protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The web cache helps improve network performance by storing local copies of frequently-requested web content.
What is the Web Proxy service?
The Web Proxy service enables web requests to be made via the firewall. When an internal user needs to access an external web site, the firewall makes the request on her behalf, and provides the content to her when it's received. This improves security in two ways: it allows the network administrator to regulate which sites users can visit, and masks users' internal network addresses when they access web sites.
The Web Proxy also can be configured to provide a "reverse proxy" service. This is done via the Web Publishing feature which, if enabled, allows external users to access internal web sites without exposing the actual address of the sites. By default, the Web Publishing feature is disabled.
What's wrong with the Web Proxy service?
It doesn't correctly handle a particular type of request for web resources if it exceeds a certain length. If such a request were received, it would cause an access violation that would result in the failure of the Web Proxy service.
Who could levy such a request?
As long as the web proxy service is running (and it runs by default), any internal user could levy the type of request at issue here. If the Web Publishing feature were enabled, an external user could levy such a request.
Is there any other way for an external user to exploit the vulnerability?
If an external attacker were able to entice or persuade an internal user into visiting a web page or opening an HTML e-mail, it could be possible for her to exploit the vulnerability even if the Web Publishing feature were disabled. The web page or HTML e-mail could contain a request of the type described above, and because it would originate from within the network, it could exploit the vulnerability even if Web Publishing were disabled.
What could an attacker do via this vulnerability?
An attacker could use this vulnerability to disrupt the Web Proxy service. By sending a web request of the type discussed above, she could cause the service to fail, thereby preventing the firewall from passing any web requests, in either direction.
How could normal service be restored?
The administrator could restore normal service by restarting the Web Proxy service. It would not be necessary to reboot the server.
How great a threat does this vulnerability pose?
It depends on whether the Web Publishing feature is enabled. By default, it's disabled, and an attacker would need to be located within the network to exploit the vulnerability. However, if it were enabled, any Internet user could exploit it. Clearly, the latter case would pose a much greater threat.
Could an attacker use the vulnerability to take control of the ISA server?
No. This is a denial of service attack only. There is no capability to usurp any administrative privileges.
Could an attacker use the vulnerability to breach the security of the firewall?
No. There is no capability to use this vulnerability to lower the security the firewall provides. It can only be used to prevent the Web Proxy service from passing any data at all.
What does the patch do?
The patch eliminates the vulnerability by causing the Web Proxy service to correctly treat the request at issue as invalid.