Two Problems in ISA Server 2000?

Reported June 14, 2005 by Microsoft

VERSIONS AFFECTED

           

Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 including
Microsoft Small Business Server 2000

DESCRIPTION

Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 (SP2) contains two vulnerabilities. ISA Server doesn't properly process malformed HTTP requests, which could allow an intruder to poison the cache, bypass content restrictions, access unauthorized content, or redirect other ISA Server users to various content.

Also, the process used by ISA Server to validate NetBIOS contains a vulnerability that could allow an intruder to gain access with elevated privileges and to connect to services using the NetBIOS protocol.

VENDOR RESPONSE

Microsoft released a security bulletin, Cumulative Security Update for ISA Server 2000 (899753), and an associated patch to correct these problems.

CREDITS

Steve Orrin of Watchfire reported the HTTP request processing vulnerability

Han Valk reported the NetBIOS vulnerability