Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.
However, renowned Microsoft employee Scott Guthrie revealed that the vulnerability was far more serious on his blog, first in his post Important ASP.NET security vulnerability just hours after the MS advisory was released. Two days later he posted FAQ about the ASP.NET security vulnerability, probably to sort out some of the confusion around the vulnerability. Guthrie listed disclosure of viewstate and disclosure of files from the webserver as two separate issues stemming from the same vulnerability. He also provided a workaround to reduce the chances of a successful exploit, and urged all ASP.NET users to quickly implement the temporary fix.
An interesting observation was that a lot of the key information useful for system owners was found way down in the several hundred comments on Guthrie's first blog post. There he stated that not only the traditional Web Forms technology (where viewstate is a central component) was affected, but all web applications running on .Net were equally vulnerable, including MVC applications and also products such as Sharepoint. Suddenly, it was clear that the vulnerability affected the vast majority (if not all) of Microsoft's customers running web applications on .Net. It's a good thing Guthrie summarized the information in his second post.
The Microsoft advisory was updated the next day (Tuesday, European time), and informed that Microsoft had already started seeing limited attacks on the Internet. This is bad, if you host a .Net web application, implement the workaround in the security advisory as soon as possible.
The background
Interestingly enough, practical padding oracle exploits are discussed in a Usenix paper by Rizzo and Duong published in May. The paper primarily targets how the vulnerability can be exploited in the Java Server Faces (JSF) framework, but underscores that the weakness probably exists in other technologies as well. The paper further explains how the padding oracle also can act as an encryption oracle — letting an attacker create valid ciphertexts without knowledge of the encryption key.
As a sidenote, Rizzo and Duong in their paper refer to padding oracle attack pre-
sented by Vaudenay at EuroCrypt 2002, a well known crypto conference. Today's severe vulnerability is in no way new. Its principles have been known for eight years and a practical attack has been known for at least five months after Rizzo gave a presentation of the techniques at the Blackhat Europe conference.
Microsoft will hopefully be able to provide a patch sooner than later. The root cause must be resolved, the oracle must be silenced.
Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.
Disclaimer
Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).
Subscribe to:
Post Comments (Atom)
Copyright notice
© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr...
-
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
I finally got around to publish the slides for the two talks I did in May: the talk about the online banking trojans at the DND/ISACA/ISF me...
-
I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the ...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim , @skradel , and @troyhunt . (Foll...
-
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win&qu...
-
The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these ...
-
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
-
If you work in an environment where several people fiddle around on the same servers, every once in a while you'll get the message "...
louboutin pas cher
ReplyDeleteferragamo belt
mcm outlet
patriots jerseys
bulls jerseys
adidas soccer shoes
giuseppe zanotti shoes
coach factory outlet
timberland boots
salvatore ferragamo
chenlina20170421
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
Deleteor Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.
محسن ابراهیم زاده
Delete20170518 leilei3915
ReplyDeleteadidas outlet store
polo ralph lauren
mulberry uk
hermes belts outlet
kate spade handbags
kate spade outlet online
nike shoes on sale
oakley sunglasses wholesale
cheap oakley sunglasses
christian louboutin shoes
ugg shoes
ReplyDeletecanada goose jackets
coach outlet store
kate spade handbags
adidas shoes
jordan retro
kate spade outlet store
coach outlet store
nike air max
coach factory outlet
12.09linpingping
I always like to find something new in the Internet. Few weeks ago I found https://domyhomework.guru/blog/how-to-focus-on-homework and now I know how to concentrate on my homework.
ReplyDeleteThis article is interesting and useful. Thank you for sharing. And let me share an article about health that God willing will be very useful. Thank you :)
ReplyDeleteObat Alami Menurunkan tekanan Darah Tinggi
Obat Penyakit kulit Eksim
Obat Benjolan Di Ketiak
Cara Mengobati Kencing Tersendat
Obat Tradisional Telinga Berdengung
Cara Mengobati Prurigo
surveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
jordan 12
ReplyDeletegoyard handbags
ferragamo belt
golden goose slide
gucci belt
michael kors bags
air max
nike huarache
off white jordan 1
gucci belts
Good information and, keep sharing like this.
ReplyDeleteCrm Software Development Company in Chennai
Good Information keep going.
ReplyDeleteYouTube Marketing Company in Chennai
Nice post.
ReplyDeleteSmm company in Chennai
Great Sound, you provided a valuable information.
ReplyDeletewordpress ecommerce development company chennai
Nice information.
ReplyDeleteSeo Company in Chennai
ReplyDeleteNice information keep sharing like this.
scaffolding dealers in chennai
Aluminium scaffolding dealers in chennai
Aluminium scaffolding hire
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeletepost free classified ads in india
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeleteScaffolding Dealers in Chennai
Aluminium Scaffolding Dealers in Chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeletescaffolding dealers in chennai
aluminium scaffolding dealers in chennai
carlla poggenpoel, kelly khumalo husband, zoocci coke dope anxiety, chad da don new album, chad da don album, emtee, chad da don ft emtee, kelly khumalo, chad da don ft emtee download, chad da don album, chad da don ft emtee mp3, chad da don album download, chad da don ft emtee mp3 download, kelly khumalo and chad da don, fakaza, chad da don ft emtee remix, chad da don instagram, flexyjam, aka, chad da don new album, jason noah ft chad da don, kelly khumalo instagram, chad da don new girlfriend, youngstacpt, kelly khumalo husband, zoocci coke dope anxiety, fakaza.com, chad da don wife, carlla poggenpoel
ReplyDeleteYour writing style is very unique in comparison to other bloggers I have read stuff from. Thanks for posting! when you have time could please write a blog for the get angel investors for startup because I like your writing style, I will just book mark this web site.
ReplyDeleteThank you so much for this amazing information sharing with us. I am an antique article collector and this article is one of the best I have ever read. I just want to say if you have any idea about best altcoin to invest in 2020 include that in your article because i like writing style.
ReplyDeleteASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic websites, applications and services. This platform is very useful for us. Assignment writing services.
ReplyDeleteskycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
golden goose
ReplyDeletenike react
pandora
birkin bag
supreme hoodie
yeezy 700
supreme clothing
moncler
kobe shoes
air jordan 1
This is the best place to get cheats, codes, cheat codes, walkthrough, guide, FAQ, unlockables, tricks, and secrets for The Sims 4 for PC-Sims 4 cheats.
ReplyDeletegoogle 3676
ReplyDeletegoogle 3677
google 3678
google 3679
google 3680
google 3681
Thank you for posting such a great article. Keep it up mate.
ReplyDeletePractically App | Practically App Download | Practically App for PC
에볼루션게임 먹튀검증 안전노리터 go
ReplyDeletei feel happy that you are sharing the security problem you are facing it may help others to protect their site as much as they can vulnerability is a big issue for the software like i have known operations assignment help uk service they are pretty good assignment helpers they have a very good service and a secure site it is. i suggest you all to must visit their site to check the service and security.
ReplyDeletereplica louis vuitton bags q12 i2l17m5o80 replica designer bags wholesale r60 q6v77a0i70 bags replica ysl q06 l0i74z7i94
ReplyDelete