Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 24, 2010

On the new ASP.NET vulnerability

Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.


However, renowned Microsoft employee Scott Guthrie revealed that the vulnerability was far more serious on his blog, first in his post Important ASP.NET security vulnerability just hours after the MS advisory was released. Two days later he posted FAQ about the ASP.NET security vulnerability, probably to sort out some of the confusion around the vulnerability. Guthrie listed disclosure of viewstate and disclosure of files from the webserver as two separate issues stemming from the same vulnerability. He also provided a workaround to reduce the chances of a successful exploit, and urged all ASP.NET users to quickly implement the temporary fix.

An interesting observation was that a lot of the key information useful for system owners was found way down in the several hundred comments on Guthrie's first blog post. There he stated that not only the traditional Web Forms technology (where viewstate is a central component) was affected, but all web applications running on .Net were equally vulnerable, including MVC applications and also products such as Sharepoint. Suddenly, it was clear that the vulnerability affected the vast majority (if not all) of Microsoft's customers running web applications on .Net. It's a good thing Guthrie summarized the information in his second post.

The Microsoft advisory was updated the next day (Tuesday, European time), and informed that Microsoft had already started seeing limited attacks on the Internet. This is bad, if you host a .Net web application, implement the workaround in the security advisory as soon as possible.

The background
Interestingly enough, practical padding oracle exploits are discussed in a Usenix paper by Rizzo and Duong published in May. The paper primarily targets how the vulnerability can be exploited in the Java Server Faces (JSF) framework, but underscores that the weakness probably exists in other technologies as well. The paper further explains how the padding oracle also can act as an encryption oracle — letting an attacker create valid ciphertexts without knowledge of the encryption key.

As a sidenote, Rizzo and Duong in their paper refer to padding oracle attack pre-
sented by Vaudenay at EuroCrypt 2002, a well known crypto conference. Today's severe vulnerability is in no way new. Its principles have been known for eight years and a practical attack has been known for at least five months after Rizzo gave a presentation of the techniques at the Blackhat Europe conference.

Microsoft will hopefully be able to provide a patch sooner than later. The root cause must be resolved, the oracle must be silenced.

18 comments:

  1. I always like to find something new in the Internet. Few weeks ago I found https://domyhomework.guru/blog/how-to-focus-on-homework and now I know how to concentrate on my homework.

    ReplyDelete
  2. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

    ReplyDelete
  3. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    Scaffolding Dealers in Chennai
    Aluminium Scaffolding Dealers in Chennai

    ReplyDelete
  4. Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
    web portal development company in chennai

    ReplyDelete
  5. Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
    web portal development company in chennai

    ReplyDelete
  6. Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
    scaffolding dealers in chennai
    aluminium scaffolding dealers in chennai

    ReplyDelete
  7. ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic websites, applications and services. This platform is very useful for us. Assignment writing services.

    ReplyDelete
  8. i feel happy that you are sharing the security problem you are facing it may help others to protect their site as much as they can vulnerability is a big issue for the software like i have known operations assignment help uk service they are pretty good assignment helpers they have a very good service and a secure site it is. i suggest you all to must visit their site to check the service and security.

    ReplyDelete
  9. ทางเข้าslot joker123 สามารถ เข้า ต้องการลงทะเบียนเป็นสมาชิก PG SLOT ตอนไหนก็ได้ สมัครได้เลย การลงทะเบียนสมัครสมาชิกแบบไม่จำกัดเวลา สล็อต ทำให้บรรดานักเล่นการพนันเยอะมาก Gaming

    ReplyDelete
  10. You have shared a very informative article with us and I am really inspired by your article writing skills. I always come to your post for the latest tech updates. Many thanks for sharing this article. Now it's time to avail https://phxcarsservice.com/ for more information.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts