Preemptive Protection against Microsoft ISA Server Cross-Site Scripting (XSS) Vulnerability (MS09-016)
| Check Point Reference: | CPAI-2009-092 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS09-016 | |
| Industry Reference(s): | CVE-2009-0237 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Forefront Threat Management Gateway, Medium Business Edition Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition SP1 Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition Supportability Update Microsoft Internet Security and Acceleration (ISA) Server 2006 Standard Edition Microsoft Internet Security and Acceleration (ISA) Server 2006 Standard Edition SP1 Microsoft Internet Security and Acceleration (ISA) Server 2006 Standard Edition Supportability Update | ||
| Vulnerability Description A cross-site scripting (XSS) vulnerability has been reported in the cookieauth.dll component in Microsoft Internet Security and Acceleration (ISA) Server. ISA Server, originating as Microsoft Proxy Server, is a Firewall & Security product that provides Application-Layer Firewalling, acts as a VPN endpoint, and provides Internet Access for client systems in a Business Networking environment. A remote attacker may exploit this vulnerability to run malicious scripts on an affected system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS09-016 |
|
|
Vulnerability Details The vulnerability is due to an input validation error in the HTTP stream. A remote attacker can exploit this issue to execute a cross-site scripting attack through the cookieauth.dll component in ISA Server or Forefront TMG, by convincing a user to click on a maliciously crafted URL that contains a script code. Successful exploitation of this vulnerability could allow the attacker to inject script code into the web pages viewed by other users. |
Protection Overview
This protection will detect and block Cross-Site Scripting attacks. No update is required to address this vulnerability for users of Security Gateway R70, VPN-1 NGX R61, R62 and R65, VSX NGX R65 and InterSpect NGX. Users of IPS-1 need to update their systems. IPS-1 will detect and block attempts to inject JavaScript into known-vulnerable HTTP APIs.
To configure the defense, select your product from the list below and follow the related protection steps.
Security Gateway R70
How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Application Layer.
2. In the right pane, double-click the Cross-Site Scripting protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. The protection can be applied either to all HTTP traffic or to selected web servers.
- If you choose to apply the protection to all HTTP traffic, change the security level to HIGH.
- If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Configure Default....
III. Change the Security Level to HIGH and click OK.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Application Layer > Cross Site Scripting.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers.
4. Change the security level to HIGH. If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced.
IV. Change the Security Level to HIGH and click OK.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the Web Intelligence tree, click Application Layer > Cross Site Scripting.
2. In the configuration pane, the protection can be applied either to all HTTP traffic or to selected web servers.
3. Change the security level to HIGH. If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced.
IV. Change the Security Level to HIGH and click OK.
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL
VPN-1 VSX NGX R65
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Application Layer > Cross Site Scripting.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers.
4. Change the security level to HIGH. If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced.
IV. Change the Security Level to HIGH and click OK.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Application Layer > Cross Site Scripting.
3. In the configuration pane change the Security Level to HIGH.
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL
IPS-1 & IPS-1 NGX R65
How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the XSS Attacks protection group.
3. Click User Defined XSS Alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Alert Name: XSS Attacks
Description: User Defined XSS Alert