MS IIS Server Authorization Vulnerability

MS IIS Server Authorization Vulnerability

A critical vulnerability was published by Microsoft on October 8, 2019, concerning IIS servers and enabling authorization upgrades.

A critical vulnerability was published by Microsoft on October 8, 2019, concerning IIS servers and enabling authorization upgrades. An attacker who exploits this CVE-2019-1365 vulnerability can avoid the sandbox of the IIS server with a web request.

The vulnerability can be remedied by applying the security updates released by Microsoft.

SOLUTION/RECOMMENDATION

Security updates published by Microsoft; It must be implemented urgently on all relevant servers before any security incident occurs. Using vulnerability detection systems, all systems should be scanned for this vulnerability and the detected servers should be improved as soon as possible. In addition, if possible, it will be useful to activate signatures related to this vulnerability in security devices.

Before moving on to all systems, it is recommended that the update must be tested to avoid any interruptions over the service.

Operating Systems

• Windows Operating System

Versions

• Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019

CVE / CWE

CVE-2019-1365

Additional Information

1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1365
2. https://nvd.nist.gov/vuln/detail/CVE-2019-1365
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688