4 September 2009

Security Advisory Notification on X-Forwarded-For for ISA Server

Severity: High

Problem: A security vulnerability has been discovered in Winfrasoft Winfrasoft X-Forwarded-For for ISA Server which could result in a denial of service. A successful delivery of the attack could leave the ISA Server Firewall service in a stopped state preventing ISA Server from serving traffic. No nauthorised access is gained or compromised.

Affected versions:
All versions of Winfrasoft X-Forwarded-For for ISA Server up to and including 2.0.4. This also includes prior version 1.x builds.


Mitigation:
The risk of attack is greatest where ISA Server is being used as a reverse proxy as inbound access from the Internet is allowed. If ISA Server is being used as a forward proxy server then the attack could only be launched from the internal network which poses a much lower risk. The only method of mitigating the issue without upgrading to the new version is to disable or ninstall X-Forwarded-For for ISA Server.


Resolution:
An updated version of Winfrasoft X-Forwarded-For for ISA Server has released which corrects the issue. The security fix is included in all builds from, and including version 2.0.6.


More information:
Winfrasoft was privately notified about the issue, and under "responsible disclosure guidelines" we shall not be detailing exact attack methodology. The attack has been publically exploited in the wild although it is not known if this was specifically an attack targeted against Winfrasoft X-Forwarded-For for ISA Server.

1 September 2009

IAG SP2 update 2 notice

A quick warning about IAG SP2 Update 2 which may impact some customer deployments.

This update installs a NEW version of login.asp which provides support for Windows 7 and IE8. However, if you have existing customised versions of login.asp from pre-update 2 then these pages will no longer function once update 2 is installed. After installing SP2 Update 2 you will need to create a new customised version of login.asp using the update 2 version as a template.

You may have a customised version of login.asp if you are using a 2 factor authenticaiton solution with IAG.