You are here
IIS Web Server: Vulnerability in HTTP.sys Could Allow Remote Code Execution
Last update on 29. November 2017 - 15:46.
Microsoft released patches for a critical vulnerability in the Windows module HTTP.sys which affects the IIS web server [1]. The vulnerability may allow remote code execution.
Public exploit code shows that a buffer overflow can be caused by crafting a special HTTP request with large Range header values.
Airlock WAF itself is not affected because Microsoft Windows is not used.
For affected IIS back-ends we recommend to apply the patches provided by Microsoft [1].
If you can not immediately apply the patches, you can configure a deny rule on Airlock WAF to prevent unrealistic large integer values in a Range header.
Since details of the vulnerability are not yet public, we can not guarantee that the deny rule completely prevents exploitation of the vulnerability. In any case, vulnerable systems should be patched as soon as possible.
Pattern for header name (case sensitive = OFF, invert = OFF):
^Range$
Pattern for header value (case sensitive = ON, invert = OFF):
\b[0-9]{16,}\b