By: Russell Moore, Solutions Architect, and Josh Berry, Senior Technology Manager
If you’re running Windows Server 2003 with IIS 6.0 with WebDAV enabled, a recently-discovered exploitable vulnerability allows a remote attacker to run code against the application software and take control of the machine. The attacker could inject code and commands and get feedback, taking control of operating system level functions. This means that your critical data and intellectual property are at risk of compromise.
Since Server 2003 is no longer supported by Microsoft, this issue will only get worse. This is just the first exploitable vulnerability – it will not be the last.
The recently released CVE-2017-7269 is a newly-discovered exploitable vulnerability affecting Windows Server 2003 R2. Active exploit code is available now; the vulnerability was reportedly exploited in the wild in July or August of 2016. The vulnerable configuration requires that WebDAV be enabled and Internet Information Services (IIS) 6.0 is in use. An estimated 60,000 servers are potentially affected.
Detecting the vulnerability
The best way to detect this and other vulnerabilities is to know what is in your environment – maintain an up-to-date inventory of systems and devices, along with their end-of-life and end-of-support dates and upgrade paths.
Vulnerability scans are also essential to detecting vulnerabilities in your environment. Ensure your scanner software is up to date so that it is checking for the latest vulnerabilities or engage a reliable and experienced third party to perform the scans.
If you can’t take your 2003 servers out of production or upgrading isn’t likely in the near term, and you have a web application that requires WebDAV, you have options. Additional security controls can be implemented to reduce the attack footprint and help prevent exploitation of the vulnerability.
First, identify vulnerable systems and whether they contain valuable data. Then, engage the right experts to assess the environment and actually talk to IT and the business application owners to understand the viable paths forward. Is there a path to migrate these applications to a newer operating system or platform? If not, then how does the application work? There are steps that can be taken to minimize risk, like using application whitelisting programs or isolating the system through network segmentation, for example. The problem likely can’t be completely eliminated, but risk can be minimized.
If you feel stuck running on legacy hardware, operating systems, and application software that has outlived manufacturer support, Accudata can help remediate to protect against this vulnerability. Accudata will work with IT and business application owners to design solutions that maintain business functions while reducing risk to the organization.
This and future Server 2003 vulnerabilities will not be patched by Microsoft – Microsoft ended support for Server 2003 on July 14, 2015. The current workaround is to disable the WebDAV Web Service Extension if it is not required by any web applications in the environment. Accudata recommends upgrading systems to supported platforms.
Accudata can design a path forward that is appropriate for your environment. Contact Brian DiPaolo at BDiPaolo@AccudataSystems.com to schedule a vulnerability assessment or penetration test to detect this and other critical vulnerabiities that could expose your systems and data.