Security researchers have disclosed a Buffer Overflow vulnerability (CVE-2017-7269) in the Microsoft Internet Information Service (IIS) 6.0 web server included in the Windows Server 2003 R2. Qualys Web Application Firewall (WAF) can help you block HTTP requests trying to exploit this vulnerability.
This vulnerability can be exploited using a PROPFIND HTTP request with a long string value in the IF header, starting with “<http://”. The vulnerability can allow attackers to mount Remote Code Execution attacks or cause Denial of Service in the vulnerable applications. Microsoft ended support for Windows Server 2003 R2 on July 14, 2015 and is not expected to provide a patch for this vulnerability.
PROPFIND is an HTTP method supported by the Web Distributed Authoring and Versioning (WebDAV) protocol, which is an extension of the HTTP protocol that provides a framework for managing documents on web servers.
How Qualys WAF Protects
Most web applications may not have a need to support the PROPFIND method. You can whitelist the HTTP methods supported by your application in the HTTP Profiles section of the Qualys WAF. All other HTTP methods, including PROPFIND, will be blocked by the WAF before malicious requests impact your application.
If you need to apply more fine-grained controls, you can use the custom security rules in Qualys WAF. For example you can block PROPFIND for specific URL paths and can check for specific IF header values using regular expressions.
Keep in mind that checking for specific IF header values may not be effective if new exploits patterns are disclosed in future and whitelisting of HTTP methods might be the better approach. If you really have a need to support the PROPFIND method, you can check for IF header values.
For comprehensive security, Qualys advises you to upgrade to a newer version of the Windows Server and IIS that is officially supported by Microsoft. If upgrade is not an option, you should consider disabling WebDAV on IIS 6.0.
If you would like to learn more about the security features of the Qualys WAF 2.0, please contact your Qualys Technical Account Manager or register for a free trial. Additional documentation is available on the Qualys WAF community and the Qualys website. If you are already using Qualys WAF, please contact Qualys Support with any questions you have.
Rémi Le Mer, Solutions Architect at Qualys contributed towards this article.