Microsoft Security Bulletin MS15-034 and CVE-2015-1635 describes a remote code execution vulnerability in the HTTP protocol stack (HTTP.sys). An attacker can send a specially crafted HTTP request to an affected Windows system to execute arbitrary code in the context of the System account. Failed exploit attempts might result in denial-of-service conditions. A workaround that disables the IIS kernel caching was suggested for IIS server, with a caveat that it can cause performance issue.

Citrix Application Firewall can successfully mitigate any exploits of this critical vulnerability. The pattern matching power of the Application Firewall signatures offers an easily configurable solution to safeguard your Windows systems. The auto-update functionality provides the quickest way to update all your existing signatures to get the latest protection against this vulnerability.

If for some reason you are not able to use auto-update, you have the option to add a customized signature rule to detect requests containing a range header with a value greater than 1,000,000,000. The following example shows a pattern that can detect and block attacks that attempt to exploit this vulnerability.

Example of Signature Rule

<SignatureRule actions="block,log" category="HTTP.sys" enabled="ON" id="1000000" severity="" source="" type="" version="1">
<PatternList>
<RequestPatterns>
<Pattern>
<Location area="HTTP_HEADER">
<HeaderName type="Literal">Range</HeaderName>
</Location>
<Match type="PCRE">\s*bytes=(.*([0-9]

{10,})+.*)</Match>
</Pattern>
</RequestPatterns>
</PatternList>
<LogString>HTTP.sys CVE-2015-1635 Attack</LogString>
<Comment/>
</SignatureRule>

Note: The NetScaler appliance also offers you an alternative. If you have not yet deployed the Application Firewall to secure your web sites, you can use the following responder policy to detect and protect any attacks that attempt to exploit this vulnerability.

add responder policy testMS15cve "HTTP.REQ.HEADER(\"Range\").EXISTS && HTTP.REQ.HEADER(\"Range\").SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re/bytes\\s*=.*[0-9]{10,}.*/)" DROP

Additional Resources

• Microsoft Windows HTTP Protocol Stack CVE-2015-1635 Remote Code Execution Vulnerability

• HTTP.sys Remote Code Execution Vulnerability - CVE-2015-1635

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

This article describes how to mitigate HTTP.sys vulnerability in Windows (MS15-034) by using Citrix Application Firewall signatures.