Announcement

Collapse
No announcement yet.

Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege

    Hi,

    For anyone who uses ISA 2006...
    http://www.microsoft.com/technet/sec.../MS09-031.mspx
    http://blogs.technet.com/isablog/arc...-bulletin.aspx

    ISA server 2006 RTM, Supportability Update, Service Pack 1 that are configured as follows:
    • The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
    • The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
    • ISA is configured to allow fallback to HTTP-Basic authentication


    If you do not use RADIUS OTP with KCD, or you have disabled HTTP-Basic fallback for RADIUS OTP, you are not subject to this vulnerability.

    Non-Affected Products
    • ISA Server 2000
    • ISA Server 2004
    • Forefront TMG

    Last edited by Dumber; 15th July 2009, 09:46.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

Working...
X