HTTP Request Smuggling in Microsoft IIS Server



Published: 2020-07-15
Risk Medium
Patch available NO
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-444
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Microsoft IIS
Server applications / Web servers

Vendor Microsoft

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU29910

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Microsoft recommends that administrators review front-end environmental configurations, and if necessary, enable the request smuggling filter. Testing is required to determine that front-end load balancers and proxies do not forward malformed requests; these requests will be rejected when the filter is enabled, and may disrupt communications.

Enable the request smuggling filter on your web server by using the Registry Editor

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
  3. Set DWORD type value DisableRequestSmuggling to one of the following:
    • Set to 0 to disable the filter
    • Set to 1 to enable the filter
  4. Exit Registry Editor.
  5. Restart the computer.

Vulnerable software versions

Windows: 7 - 10 2004

Windows Server: 2008 R2 - 2019 2004

Microsoft IIS: 7.5 - 10.0

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###