Check Point Advisories

Microsoft IIS FTP Server Recursive Listing Denial of Service (CVE-2009-2521; CVE-2009-3023)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-183
Date Published:	8 Sep 2009
Severity:	High
Last Updated:	Tuesday 08 September, 2009
Source:
Industry Reference:	CVE-2009-2521 CVE-2009-3023
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	IIS is a collection of Internet services packaged with several versions of the Windows operating system. IIS includes an FTP server service for exchanging and manipulating files over a TCP computer network. A stack consumption vulnerability has been discovered in Microsoft Internet Information Services (IIS) FTP server. The vulnerability is due to resource exhaustion encountered when processing certain recursive directory listings. A remote attacker may exploit this issue by crafting an FTP command and sending it to a target server. Successful exploitation of this vulnerability would allow the attacker to crash the vulnerable service via a malicious command.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability via malicious FTP patterns.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft IIS FTP Server Recursive Listing Denial of Service protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: FTP Enforcement Violation.
Attack Information: Microsoft IIS FTP server recursive listing denial of service