Check Point Advisories

VMware Server ISAPI Extension Remote Denial Of Service (CVE-2008-3697)

Vulnerability
Protection

Check Point Reference:	CPAI-2008-351
Date Published:	14 Dec 2009
Severity:	Low
Last Updated:	Sunday 27 January, 2019
Source:
Industry Reference:	CVE-2008-3697
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	The VMware server is a server virtualization platform that allows a single physical server to run multiple virtual machines simultaneously. The server provides a web-based management interface called VMware Management Console. For VMware server hosted on windows servers, the IIS server is used to provide the management console web services. There exists a vulnerability in the ISAPI extension provided by VMware Server to extend support to IIS for running Perl scripts. By supplying overly large data to the ISAPI extension iisperl.dll in a POST request, a remote attacker can terminate the IIS service and create a Denial of Service condition. Upon processing malicious POST request, the affected IIS server process will terminate, which triggers a Denial of Service condition. On most installations, the service will restart automatically to resume the normal operation.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the VMware Server ISAPI Extension Remote Denial Of Service protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Content Protection Violation.
Attack Information: VMware Server ISAPI Extension Remote Denial Of Service