Steven Posted May 1, 2003 Share Posted May 1, 2003 -----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------------------------- Title: Cumulative Patch for BizTalk Server (815206) Date: 30 April 2003 Software: Microsoft BizTalk Server 2000 & BizTalk Server 2002 Impact: Two vulnerabilities, the most serious of which could allow an attacker to run code of their choice Max Risk: Important Bulletin: MS03-016 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/...in/MS03-016.asp http://www.microsoft.com/security/security...ns/ms03-016.asp - -------------------------------------------------------------------- Issue: ====== Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server. The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents - the HTTP receiver - and could result in an attacker being able to execute code of their choice on the BizTalk Server. The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string. Mitigating Factors: ==================== HTTP Receiver Buffer Overflow - -The HTTP Receiver is only present in Microsoft BizTalk Server 2002. BizTalk Server 2000 is not affected by this vulnerability. - -The HTTP receiver is not enabled by default. HTTP must be explicitly enabled as a receive transport during the setup of a BizTalk site. - -If the vulnerability was exploited to run arbitrary code, the code would run in the security context of the IIS Server. If the IIS Server is running under a user account, the attacker's permissions will be limited to those of this user account. DTA SQL Injection - -DTA users by default are not highly privileged SQL users such as database owners, since they are only required to be members of "BizTalk Server Report Users" security group in order to use DTA web interface. In this case, a successful attacker's permissions on the SQL Server will be restricted. Risk Rating: ============ Important Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/...in/ms03-016.asp http://www.microsoft.com/security/security...ns/ms03-016.asp for information on obtaining this patch. Acknowledgment: =============== - Microsoft thanks Cesar Cerrudo for reporting this issue to us and working with us to protect customers - -------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Recommended Posts