Microsoft ASP.NET Vulnerability

In the last few days, there has been some discussion on security-related Web sites and blogs about a new security vulnerability that has been discovered in Microsoft’s ASP.NET software framework.  The framework is designed to allow developers to create Web-based applications; in contrast to more traditional methods, which use a combination of ordinary HTML and a scripting language, such as JavaScript, ASP.NET produces “compiled” pages that can be served by Microsoft’s IIS server.

Microsoft has now published a Security Advisory (2416728) giving more information on this vulnerability.  Exploiting the flaw will not in itself allow an attacker to gain control of the target server, but it can allow the attacker to recover encrypted server state information, which in turn might allow a more serious attack.  An exploit takes advantage of the flaw by probing the server to produce selected error messages during decryption.  The error messages contain information that might allow the attacker to break the encryption.  (This is sometimes known as a “padding oracle” attack — it has nothing to do with Oracle, the company, or its data base products.)

The Security Advisory has a suggested workaround that sets the server configuration so that a uniform, generic error message is returned if the server is probed, thus frustrating the attack.  Microsoft is also working on a patch.  Scott Guthrie, one of Microsoft’s VPs who manages ASP.NET development, also has a blog post about this vulnerability.

Update Saturday, 18 September, 16:25 EDT

The ThreatPost blog at Kaspersky Labs has a post on this vulnerability that explains it in more detail.  As it points out, one important characteristic of this type of attack is that it will always be successful, although the time needed for a successful attack will vary.

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site’s decryption process works. Rizzo and Duong said that the attack is reliable 100 percent of the time on ASP.NET applications, although the time to success can vary widely. The real limiting resources in this attack are the speed of the server and the bandwidth available.

Juliano Rizzo and Thai Duong developed the attack, following up to similar work on other Web platforms that they presented at the Black Hat Europe conference.

Update Saturday, 18 September, 23:35 EDT

Microsoft’s Security Research and Defense blog also has an article posted about this vulnerability.  Its explanation of what the problem is and how it might be exploited is probably the clearest I’ve seen for the non-expert.

2 Responses to Microsoft ASP.NET Vulnerability

  1. […] Center Blog, Microsoft has announced that it intends to release an out-of-band patch for the ASP.NET security vulnerability that has been getting a lot of attention recently.   The vulnerability affects all versions of […]

  2. […] Patch Released As expected, Microsoft has released an out-of-band security patch for the ASP.NET vulnerability.   Details of the patch, and download links, are given in the Security Bulletin MS10-070.    […]

Follow

Get every new post delivered to your Inbox.

Join 30 other followers

%d bloggers like this: