New remote execution vulnerability (CVE-2017-7269) was recorded in the National Vulnerability Database for Windows 2003 R2 IIS6 last week. Exploitation of this vulnerability allows a remote attacker to execute code on the vulnerable web server.
Thus, potentially allowing hackers to take over the whole system, install remote control systems and propagate within local network conducting local attacks. Results of the exploitation might be catastrophic for organizations. Microsoft will not provide a patch for this vulnerability, as OS is not officially supported.
The Digital Edge Security Team has analyzed exploitation possibilities. Even if there is a serious possibility to exploit such vulnerabilities, we discovered the following:
- We could not exploit the vulnerability over SSL. In this case, server was terminating connection.
- We could not exploit the vulnerability if .NET application is enable on the web site. The server was logging security error: “path 'PROPFIND' is forbidden”. So .NET script map does not allow “PROPFIND” verb.
When you really should worry:
- If you use WebDAW protocol.
- If you don’t know if you are using or not using WebDAW protocol.
What you can do to mitigate:
- Update to newer version of Windows.
- Disable WebDAV protocol.
Further, Digital Edge LogIT Services were updated to include PROPFIND error message in the security triggers for the customers who use our service.
Digital Edge LogIT Service gives clients an ability to collect system logs and create security alerts based on Digital Edge’s experience working in the IT Security Area.
Read more about LogIT here.