Update: Made changes to reflect that IIS Request Filtering will not work.

This week, Microsoft released a security fix MS15-034 (KB3042553) for IIS which potentially allows for remote code execution on IIS, denial of service attacks (DOS) or bugchecking of servers. Since Exchange leverages IIS, Exchange servers are affected.

The vulnerability is easy to exploit, using an HTTP or HTTPS request and specifying a Range header with a value of 18446744073709551615 (maximum 64-bit unsigned integer). The Range header, introduced in the HTTP/1.1 specification, can be used by the requester to receive only a portion of data, for example the first few bytes of a JPG to determine its dimensions.The issue occurs when you specify out of bounds value. for example, when using cURL you can specify:

curl -v https://exchangeserver.contoso.com/iisstart.htm -H "Host: contoso.com" -H "Range: bytes = 0-8192" -k

• The most recommended solution is of course to install the KB3042553 security fix on servers running IIS, starting with servers that are internet-facing.
• Filter requests on your reverse proxy, load balancer or IPS solution:
  • KEMP has provided instructions how to accomplish this on their Loadmasters here.
  • F5 has provided instructions here.
  • ISC SANS institute provided instructions for SNORT here.
• Disable IIS kernel caching, but this is not recommended due to negative impact on performance.

Unfortunately, Request Filtering is not an option so you can not prevent the exploit using IIS’ built-in Request Filtering feature. The Request Filtering will occur after parsing of the Range header, and it is in this parsing causing the issue.