Microsoft Forefront Unified Access Gateway NULL denial of service (HTTP_UAG_Cookie_DoS)

About this signature or vulnerability

IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Network Protection, Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This signature detects Cookie header's which may indicate a DoS attack.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Desktops: 2690, Proventia Network IDS: XPU 31.100, Proventia-G 1.1 and earlier: XPU 31.100, Proventia Network MFS: XPU 31.100, IBM Security Network Protection: 5.1, Virtual Server Protection for Vmware: XPU 31.100, Proventia Network IPS: XPU 31.100, Proventia Server IPS for Linux technology: 31.100, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Servers (Windows): 2.1.14.2690, RealSecure Server Sensor: XPU 31.100

Systems affected

Microsoft Forefront Unified Access Gateway: 2010, Microsoft Forefront Unified Access Gateway: 2010 Update 1, Microsoft Forefront Unified Access Gateway: 2010 Update 2, Microsoft Forefront Unified Access Gateway: 2010 SP1

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Forefront Unified Access Gateway (UAG) is vulnerable to a denial of service, caused by the improper validation of a NULL value contained within the session cookie. An attacker could exploit this vulnerability to cause the Web server to crash.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS11-079
Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)
http://www.microsoft.com/technet/security/bulletin/ms11-079.mspx

Microsoft Security Bulletin MS12-026
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
http://technet.microsoft.com/en-us/security/bulletin/ms12-026

ISS X-Force
Microsoft Forefront Unified Access Gateway NULL denial of service
http://www.iss.net/security_center/static/70107.php

CVE
CVE-2011-2012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2012