Mise à jour de sécurité pour ISA Server 2004, 2006 et Forefront TMG (MBE)

Mise à jour de sécurité pour ISA Server 2004, 2006 et Forefront TMG (MBE)

Voilà après 4 annnées de tranquilité, il fallait bien que ça arrive : un bulletin de sécurité pour ISA Server 2004, 2006 et TMG (MBE) concernant 2 vulnérabilités

Executive Summary
This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

This security update is rated Important for Forefront TMG MBE, ISA Server 2004, and ISA Server 2006. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. None.

Les 2 vulnérabililités sont les suivantes :

Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077

A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0077.

Cross-Site Scripting Vulnerability - CVE-2009-0237

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0237.

Informations complémentaires dans le bulletin de sécurité : MSRC bulletin MS09-016              https://www.microsoft.com/technet/security/bulletin/ms09-016.mspx

La mise à jour est disponible via Microsoft Update mais vous pouvez aussi télécharger le correctif en passant par les fiches de la base de connaissance par version d'ISA / TMG :

ISA Server 2004

Correctif Pour ISA Server 2004 Standard et Entreprise
MS09-016: Description of the security update for ISA Server 2004: April 14, 2009
https://support.microsoft.com/kb/960995/en-us/
Note : Pour appliquer ce correctif, il faut que le SP3 d'ISA Server 2004 Standard ou Entreprise  ait été installé
Note 2 : l'application de ce correctif implique un redémarrage du serveur

ISA Server 2006

A cross-site scripting vulnerability in ISA Server 2006 allows for redirection to malicious sites
https://support.microsoft.com/kb/968077/en-us/

FIX: ISA Server stops accepting new requests after you configure Web publishing, Web proxy, or Automatic discovery
https://support.microsoft.com/kb/958951/en-us/

Correctif pour ISA Server 2006 Standard et Entreprise
MS09-016: Description of the ISA Server 2006 hotfix package: April 14, 2009
https://support.microsoft.com/kb/968078/en-us/
Note : l'application de ce correctif implique un redémarrage du serveur

Forefront Threat Management Gateway Medium Business Edition

You encounter a Web listener TCP State vulnerability in Forefront Threat Management Gateway MBE
https://support.microsoft.com/kb/961831/en-us/

A cross-site scripting vulnerability in Forefront Threat Management Gateway MBE allows for redirection to malicious sites
https://support.microsoft.com/kb/968076/en-us/

Correctif pour Pour Microsoft Forefront Threat Management Gateway, Medium Business Edition
Windows Essential Business Server 2008 Standard
MS09-016: Description of the Forefront Threat Management Gateway MBE hotfix package: April 14, 2009
https://support.microsoft.com/kb/968075/en-us/
Note : l'application de ce correctif implique un redémarrage du serveur

Last Note : ces vulnérabilités ne concernent pas ISA Server 2000 SP2

et comme dirait mon collègue Pascal : “Patchez-vous bien”