How to Use Content switching to Mitigate against MS15-034 Vulnerability
Summary: An exploit has been found effecting IIS server MS15-034. The exploit involves using the Range Header to potentially allow remote code execution.
Details:
It is recommended that anyone effected install the latest Microsoft patch to mitigate against this.
If you are using the Kemp Loadmaster you may also use the Content Switching feature to Block/Modify requests which trigger the vulnerability.
As the exploit involves accessing memory at "-1" location using the value 18446744073709551615, one method to block is to restrict the length of values in the range header. The following rule will match any request with a Range header which includes a value >10 digits and remove this value from the request.
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-18446744073709551615
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789