This issue involves a denial of service vulnerability that potentially can
be used by someone with malicious intent to cause disruption of service. It
cannot be used to crash the FTP server, or any other service running on the
When multiple passive connections are made to a single FTP server via the
PASV FTP command, it is possible to use up all available system threads for
servicing clients. Once this happens, requests for additional connections
will fail as discussed above, and will continue to fail until a client
thread is again available. Further, the FTP and WWW services on a machine
share a common thread pool, so exhausting the FTP thread pool also will
cause connection requests for the WWW service to fail.
This vulnerability does not affect other services running on the same
system, nor does it cause the FTP or WWW service to crash. Once the passive
connections time out, the system performance will return to normal.
Server Administrators will see the following error in the System Event Log:
FTP Server could not create a client worker thread for user
at host 'IPAddress'. The connection to this user is terminated.
The data is the error.
Clients accessing either the WWW or FTP services might see messages such as
the either of the following:
- Connection closed by remote host
- The FTP session was terminated
Fix for this problem
Fixes are avaiable at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/ for IIS3,
and ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/ for IIS4.