search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL redirecting is enabled

Vulnerability Note VU#544555

Original Release Date: 2001-08-14 | Last Revised: 2001-08-14

Overview

A vulnerability in IIS 4.0 may permit intruders to crash vulnerable IIS servers with URL redirection enabled.

Description

A vulnerability in Microsoft IIS 4.0 allows an attacker to crash IIS 4.0 servers if they are configured to use URL redirection. URL redirection is not used by default. This vulnerability is exercised by the Code Red worm, but is distinct from the vulnerability that allows the worm to compromise systems. For more information, please see

http://www.microsoft.com/technet/itsolutions/security/tools/redthree.asp?frame=true

No patch is available at this time. Due to the large numbers of systems still infected with Code Red as of this writing, it is likely that systems running IIS 4.0 with redirection enabled will have difficulty maintaining normal operation until and unless URL redirection is disabled, or until a patch is available.

Impact

Intruders can crash vulnerable IIS 4.0 systems. IIS 5.0 is not affected.

Solution

No patch is currently available.

Until a patch is available disable URL redirection on your system.

Vendor Information

544555
 
Expand all

Microsoft Affected

Updated:  August 14, 2001

Status

Affected

Vendor Statement

For more information, see http://www.microsoft.com/technet/itsolutions/security/tools/redthree.asp?frame=true

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Our thanks to Microsoft for the information contained on their web site.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: None
Severity Metric: 22.50
Date Public: 2001-08-13
Date First Published: 2001-08-14
Date Last Updated: 2001-08-14 19:55 UTC
Document Revision: 9

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis