MICROSOFT HAS NO PLANS to fix a flaw which could affect up to 600 000 web servers running Internet Information Services (IIS) 6.0.
The zero-day vulnerability occurs in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft’s web server IIS 6.0. WebDAV is an extension of the HTTP protocol that allows clients to write web content remotely.
WebDAV has a method called PROPFIND this allows a user to retrieve properties of a resource. The header called IF which handles the state token. By issuing an overly large IF header in a PROPFIND request, an attacker may be able to create a denial of service condition or run arbitrary code in an application, reports security vendor Trend Micro in a blog post.
The vulnerability was found by researchers Zhiniang Peng and Chen Wu of the South China University of Technology Guangzhou, China. The flaw was made public on 27 March. The researchers say that “other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code”. The researchers further added that it has already been exploited in the wild with incidents observed last year.
The extended support period for Windows Server 2003 by Microsoft ended 20 months ago, so there is no official security fix for this issue. The vulnerability was found in systems running IIS 6.0 on Windows Server 2003 R2.
The true number of these servers that are actually vulnerable is unclear. For starters, there may be many more operational servers that are unaccessible to the internet. Secondly many will not have WebDAV enabled. Researcher Iraklis Mathiopoulos found that only 10 per cent of those discovered by Shodan appears to be running WebDAV.
,An unofficial fix is currently available, by Opatch users – patch for CVE-2017-7269. However in absence of an official solutions, users are urged to disable WebDAV or upgrade to a newer operating system