Protect Against Critical IIS 6.0 Buffer Overflow vulnerability (CVE-2017-7269) with Qualys WAF

Document created by Vikas Phonsa on Mar 30, 2017Last modified by Robert Dell'Immagine on Apr 19, 2019
Version 3Show Document
  • View in full screen mode

Security researchers have disclosed a Buffer Overflow vulnerability (CVE-2017-7269) in the Microsoft Internet Information Service (IIS) 6.0 web server included in the Windows Server 2003 R2. Qualys Web Application Firewall (WAF) can help you block HTTP requests trying to exploit this vulnerability.

This vulnerability can be exploited using a PROPFIND HTTP request with a long string value in the IF header, starting with “<http://”. The vulnerability can allow attackers to mount Remote Code Execution attacks or cause Denial of Service in the vulnerable applications. Microsoft ended support for Windows Server 2003 R2 on July 14, 2015 and is not expected to provide a patch for this vulnerability.

PROPFIND is an HTTP method supported by the Web Distributed Authoring and Versioning (WebDAV) protocol, which is an extension of the HTTP protocol that provides a framework for managing documents on web servers.

Most web applications may not have a need to support the PROPFIND method. You can whitelist the HTTP methods supported by your application in the HTTP Profiles section of the Qualys WAF. All other HTTP methods, including PROPFIND, will be blocked by the WAF before malicious requests impact your application. For more information on how to use Qualys WAF to protect your applications against this vulnerability, please see this blog post