10th Apr 2003 [SBWID-6131]
COMMAND
	Microsoft Proxy Server and Internet  Security  and  Acceleration  Server
	DoS
SYSTEMS AFFECTED
	Microsoft Proxy  Server  2.0  and  Internet  Security  and  Acceleration
	Server 2000
PROBLEM
	In         iDEFENSE         Security          Advisory          04.09.03
	[http://www.idefense.com/advisory/]:
	Microsoft  Corp.'s  Internet  Security  and  Acceleration  Server  (ISA)
	Server integrates an extensible, multi-layer enterprise firewall  and  a
	scalable high-performance web cache.  It  builds  on  Microsoft  Windows
	2000 security and directory for policy-based security, acceleration  and
	management  of  internetworking.  More  information  is   available   at
	http://www.microsoft.com/isaserver/ . MS Proxy 2.0  is  the  predecessor
	to    ISA    Server,    more     information     is     available     at
	http://www.microsoft.com/isaserver/evaluation/previousversions/default.asp.
	 DESCRIPTION
	 ===========
	A vulnerability exists in ISA  Server  and  MS  Proxy  2.0  that  allows
	attackers  to  cause  a  denial-of-service  condition  by   spoofing   a
	specially crafted packet to the target system. Another  impact  of  this
	vulnerability is the capability of a  remote  attacker  to  generate  an
	infinite packet storm between two  unpatched  systems  implementing  ISA
	Server or MS Proxy 2.0 over the Internet.
	Both ISA Server and MS Proxy 2.0, by default, install  a  WinSock  Proxy
	(WSP) service wspsrv.exe, designed for testing and diagnostic  purposes.
	The WSP service creates a User Datagram Protocol socket  bound  to  port
	1745. A specially crafted packet can cause WSP to generate a  continuous
	flood of requests and reply requirements.
	 ANALYSIS
	 ========
	In the case of the attack scenario for an internal LAN attacker  causing
	a denial of service, this  malformed  packet  must  meet  the  following
	criteria:
	 *  The source and destination IP are the same as the ISA Server.
	 *  The source and destination port is 1745.
	 *  The data field is specially crafted and resembles the request format.
	An attacker with access to the LAN can anonymously generate a  specially
	crafted UDP packet that will cause the target ISA Server to fall into  a
	continuous loop of processing  request  and  reply  packets.  This  will
	cause the ISA Server to consume 100 percent of the  underlying  system's
	CPU usage. It will continue to do so until the  system  reboots  or  the
	WinSock Proxy (WSP) service restarts.
	In the case of the attack  scenario  of  a  remote  attacker  causing  a
	packet storm between two systems running ISA Server  or  MS  Proxy  2.0,
	the malformed packet must meet the following criteria:
	 *  The source IP is one of the targets
	 *  The destination IP is the other target
	 *  The source and destination port is 1745.
	 *  The data field is specially crafted and resembles the request format.
	 DETECTION
	 =========
	iDEFENSE has verified that Microsoft ISA Server 2000 and  MS  Proxy  2.0
	are  both  vulnerable  to  the  same  malformed  packet  characteristics
	described above.
	Wspsrv.exe is enabled by default in  Proxy  Server  2.0.  The  Microsoft
	Firewall server is enabled by default in ISA Server  firewall  mode  and
	ISA Server integrated mode installations. It is disabled in  ISA  Server
	cache mode installations.
SOLUTION
	 WORKAROUND
	 ==========
	To prevent the second attack scenario, apply ingress  filtering  on  the
	Internet router on UDP port 1745 to  prevent  a  malformed  packet  from
	reaching the ISA Server and causing a packet storm.
	 RECOVERY
	 ========
	Restart either the WinSock Proxy  Service  or  the  affected  system  to
	resume normal operation.
	 VENDOR FIX/RESPONSE
	 ===================
	Microsoft has provided fixes for Proxy Server 2.0 and ISA Server at
	
	http://www.microsoft.com/technet/security/bulletin/MS03-012.asp