New Web Service Vulnerability

December 29, 2011

According to a report at Security Week, a new assessment of a vulnerability in the hash table implementations of some Web development platforms indicates that many current software tools are vulnerable to a particular type of denial-pf-service attack.  Research done by German security firm n.runs AG indicates the vulnerability impacts PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.  The complete n.runs advisory (which is in English) is available here [PDF].

The use of hash tables is common in software applications that need to construct a lookup table of values at execution time.  (One might think, for example, of a compiler constructing a table of variable names.)   The idea is to compute some inexpensive function of the identifier, or item key, that produces a “sort of random” distribution of results.  That in turn makes searching for a value quicker, since the whole list need not be checked.

We sometimes use a very primitive manual hash function if we are setting out, say, name badges for a group of people: we arrange them based on the first letter of the last name.   Typically, of course, there will be more than one name that begins with a given letter (and at least in English-speaking countries, some letters, like ‘M’, will be much more common than others, like ‘X’); in the context of hash tables, this is called a collision.  This is, usually, perfectly OK; it is still quicker to look through all the ‘M’s than through the whole list.

The problem is that some hash functions, used in these Web development toolsets, have the property that it is possible to deliberately induce a large number of collisions by using specially crafted identifiers.  (Imagine our name tag example if everyone’s last name began with ‘M’.)  An attack like this could cause the Web server to use up huge amounts of time repeatedly scanning a long list of identifiers, leading to a denial of service.

According to Security Week, the security teams for Ruby and Tomcat have addressed the issue, and Microsoft has issued a Security Advisory, which rates the vulnerability as Critical for all supported versions of Windows.  (Note, however, that Microsoft’s Web server, IIS, is not enabled by default in any version of Windows.)   Oracle (for Java) says that nothing needs to be done.

The Microsoft advisory lists some mitigation steps, some of which are applicable on other platforms:

  • Limit the size of acceptable POST requests
  • Limit the allowable CPU time used per request
  • Limit the maximum number of parameters in a request.

Microsoft has also announced that it will release an out-of-schedule security fix for its ASP.NET framework later today.

Update Thursday, 29 December, 13:11 EST

Microsoft has now issued Security Bulletin MS11-100, which addresses this vulnerability, as well as three privately-reported vulnerabilities (CVE numbers are in the bulletin).  The .NET framework is affected on all supported versions of Windows.

If you are using .NET on Windows, I recommend that you apply this update as soon as you conveniently can.

%d bloggers like this: