By Mark Hofman, Terry Darling, and Simon Treadaway
1- MS15-034 – HTTP.sys Advisory (CVE CVE-2015-1635)
Microsoft earlier this week released a patch for both servers and workstations, MS15-034. This patch addresses an issue in the file http.sys. The http.sys file is used by the operating system to accept and process HTTP and HTTPS requests. At the time of release the information provided by Microsoft was that remote code exploitation may have been possible. Since its release on Tuesday Proof Of Concept (PoC) code has been published on the Internet. The initial versions would only check for a particular response from the server. However these have now morphed into simple requests that will cause a Denial of Service (DoS) and cause the Windows system to blue screen.
The vulnerability may result in a complete takeover or disruption of systems and services through a successful DoS attack. Microsoft states it has not received any information to indicate that this vulnerability has yet been publicly used in attacks, however since its release PoC code has emerged, and multiple threat intelligence honeypots are detecting scans for this vulnerability utilising the strings that result in a DoS.
Mass scale exploitation of Internet-facing web-servers having the vulnerability is expected.
As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.
2- How does it work
The vulnerability is in the main component of the Windows HTTP protocol stack known as http.sys and is caused when http.sys improperly parses what Microsoft describes as “specially crafted HTTP requests”. The specially crafted packet is a header request sent to the server with a RANGE parameter and some values.
|GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615|
Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code in the context of the IIS account being used (the default IIS user account is SYSTEM) and to thereby gain full remote access to the affected Windows system. It is however more likely that the DoS version of the code will be used to disrupt services.
Further technical details can be found at:
3- Who is affected
Any Microsoft server or workstation that accepts HTTP/HTTPS traffic is likely to be affected by this issue. Whilst most of the information available focuses on IIS, as this is the main application that utilises this particular file, it is not the only product running in Windows environment that will be vulnerable.
Microsoft states the following versions of their operating system is vulnerable:
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows 8 for 32-bit Systems
- Windows 8 for x64-based Systems
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation option)
- Windows Server 2012 R2 (Server Core installation option)
4- How can you identify if you are vulnerable
The mainstream testing tools such as Nessus, Nexpose and nmap have updated scripts and signatures to perform checks.
The simplest method to test if your machine is vulnerable is to perform the following check from either a linux system or windows system (that has curl):
|$ curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615”|
if the response includes “Requested Header Range Not Satisfiable” the server is likely vulnerable.
|<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=us-ascii”></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
Some PowerShell alternatives are available but testing suggests these scripts may not be reliable.
5- How can you remediate
To fix the issue the only approach at this time is to patch and apply the fix released earlier this week (i.e. MS15-034). Priorities:
- Internet facing Microsoft web servers should receive first priority, especially those utilising IIS as the web server.
- As a second priority any remaining internet facing Windows systems should be patched.
- Internal servers utilising IIS
- Remaining internal servers
- Workstations (unless these are running IIS in which case they should be treated as a level 3 priority)
- Disable IIS caching (IIS 7 upwards) – This will prevent the attack from being successful however will have significant impact on the performance of the server and is not a first choice.
- Intrusion Prevention Signatures – The main Intrusion Detection vendors as well as those with Next Generation firewalls will already have signatures for this attack. Please be aware that effectiveness depends on the signature.
- The more effective signatures will target the RANGE request as that means it will identify and drop all requests. It is not a parameter that is regularly passed in a normal application.
Given the criticality of the vulnerability Shearwater’s recommendation is to patch in accordance with the priorities outlined above.
6- How can we help
If required there are several ways in which we can assist. These include:
- Identifying vulnerable services
- Prioritising patch deployment
- Assisting with risk management
Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us.