Tag Archives: asp.net

Microsoft Releases Out-of-Cycle .NET Framework Security Update

Summary:

  • These vulnerabilities affect: All versions of Microsoft’s .NET Framework
  • How an attacker exploits it: Multiple ways, including sending specially crafted web requests or enticing users to click maliciously crafted links
  • Impact: Various. In the worst case, an attacker can log in to your web application as another user, without having  that user’s password
  • What to do: Install the proper .NET Framework update immediately, or let Windows Update do it for you.

Exposure:

Last week — following the holiday weekend — Microsoft released a blog post and Security Advisory about a new, publicly disclosed ASP.NET Denial of Service (DoS) vulnerability.

A few days later, they released an out-of-cycle Security Bulletin fixing that .NET Framework vulnerability, and three others. Whether you manage a public web server with ASP.NET applications, or host such .NET applications internally, we highly recommend you download, test, and deploy the appropriate .NET Framework updates as soon as possible.

Microsoft’s out-of-cycle .NET Framework security bulletin describes four vulnerabilities, including the publicly disclosed DoS vulnerability mentioned above. The vulnerabilities have different scopes and impacts. I detail two of the more relevant issues below, in order of severity:

  • ASP.NET Forms Authentication Bypass Flaw – ASP.NET doesn’t properly authenticate specially crafted usernames. If an attacker has (or can create) an account on your ASP.NET application, and knows the username of a victim, the attacker can send a specially crafted authentication request that gives him access to the victim’s account without needing a valid password. However, your ASP.NET web site or application is only vulnerable to this when you’ve enabled “Forms Authentication.”
  • ASP.NET HashTable Collision DoS Vulnerability – Without going into great technical detail, ASP.NET suffers from a flaw involving the way it hashes specially crafted requests. In short, by sending specially crafted ASP.NET requests to you web application, an attacker can fill ASP.NET’s hash table with colliding hashes, which can greatly degrade the performance of your ASP.NET application or web site. If you are technically inclined, and would like more details, we recommend reading n.run’s advisory concerning this flaw.
Microsoft’s bulletin also fixes a less severe privilege escalation vulnerability, as well as an insecure URL redirect flaw. For more details on these two flaws, see the “Vulnerability Information” section of Microsoft’s bulletin.

Solution Path:

Microsoft has released .NET Framework updates to fix these vulnerabilitie. If you have web servers or clients that use the .NET Framework, you should download, test and deploy the corresponding updates immediately.

Due to the exhaustive and varied nature of .NET Framework installations (1.1, 2.0, 3.5.x, and 4.0 running on many Windows platforms), we will not include links to all the updates here. We recommend you visit the “Affected and Non-Affected Software” section of Microsoft’s bulletin for those details.

If possible, we also recommend you use Windows Update to automatically download and install the appropriate .NET Framework on client computers. That said, you may still want to keep production servers on a manual update process, to avoid upgrade-related problems that could affect business-critical machines.

For All Users:

This attack typically leverages normal looking HTTP requests, which you must allow for users to reach your web application. Therefore, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Out-of-Cycle Bulletin Fixes Serious ASP.NET Padding Oracle Vulnerability

Summary:

  • This vulnerability affects: All current versions of Microsoft’s .NET Framework
  • How an attacker exploits it: By sending a large number of web requests containing cipher text (and interpreting error responses)
  • Impact: In the worst case, an attacker can gain enough information to read and/or tamper with encrypted data from your web server
  • What to do: Install the proper .NET Framework update immediately (Windows update will not immediately push this update, you should download it manually)

Exposure:

At a cryptography conference in 2002, a researcher introduced a cryptological “side-channel” attack called a padding oracle attack, which attackers can leverage to decrypt Cipher Block Chaining or CBC-mode encryption without knowing the encryption key. Without getting into too much technical detail, block ciphers, like CBC, require that all messages arrive with the exact same number of blocks (multiples of eight bytes). However, the plain text messages you encrypt come in varying lengths, which may not fit perfectly within those specifically-sized boundaries. As a result, cryptographic algorithms have to use padding to fill in the extra, unused portions of each block. In order to check whether or not an encrypted value is padded correctly or not, encryption mechanisms employ something called a padding oracle. The researcher from 2002 found that by sending multiple, incorrectly padded messages to a server, he could interpret the error messages returned by the padding oracle to eventually learn enough to decrypt the server’s encrypted content without knowing the encryption key. The researcher even released a tool called Padding Oracle Exploit Tool (POET), which you can use to leverage this class of vulnerability.

More recently, at the Ekoparty security conference in Argentina, two security researchers reported that Microsoft ASP.NET suffers from this classic padding oracle attack. More specifically, they found a universal padding oracle vulnerability that supposedly affects every ASP.NET web application. They claimed attackers can leverage this flaw to decrypt cookies, view states, form authentication tickets, membership passwords, user data, and anything else encrypted using the ASP.NET framework’s API. As a result of these researcher’s findings, Microsoft has decided to release an out-of-band security update to correct this issue.

According to Microsoft’s out-of-band security bulletin, the ASP.NET components that ship with the .NET Framework suffer from an information disclosure vulnerability due a padding oracle flaw like the one described above. By repeatedly sending web requests containing a cipher text to a vulnerable ASP.NET web server, an attacker could interpret the error messages returned by the web server to eventually gain enough information to read or tamper with encrypted data. This would allow the attacker to gain access to significant amounts of sensitive information from your web server, and in one example, attackers even demonstrated how this leak could be leveraged to attack and potentially gain full access to the server.

Researchers have already released tools and shared examples showing how you can leverage this vulnerability. Furthermore, Microsoft has also seen evidence of attackers leveraging this flaw in the wild. If you have a web server using the .NET Framework, we highly recommend you update it immediately.

For more technical detail about this flaw, check out the articles in the References section below.

Solution Path:

Microsoft has released .NET Framework updates to fix this vulnerability. If you have web servers that use the .NET Framework, you should download, test and deploy the corresponding update immediately:

** Server Core Installation Not Affected

For All Users:

This attack leverages normal looking HTTP requests, which you must allow for you users to reach the web. Therefore, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


Follow

Get every new post delivered to your Inbox.

Join 7,623 other followers

%d bloggers like this: