New ASP .NET vulnerability
New ASP .NET vulnerability
Saturday, 18 September 2010

A new vulnerability in all versions of ASP .NET has just been announced along with an urgent fix. Without the fix an attacker can decrypt data sent by a client.

Banner

 

A few hours ago (Saturday 18th Sept 9pm EDT) Microsoft  released a Security Advisory about a security vulnerability in ASP.NET. 

This vulnerability exists in all versions of ASP.NET.

This vulnerability was publicly disclosed late Friday at a security conference.  Microsoft recommend that all customers immediately apply a workaround (described here) to prevent attackers from using this vulnerability against ASP.NET applications. (Most of the information in this news item is taken from Scott Guthrie's Blog.)

aspnet

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles.

An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. 

By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

The Fix

A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server

It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.

 

Banner


Discover How Web Apps Perform With Chrome User Experience Report
25/10/2017

Unveiled at the Chrome Dev Summit in San Francisco, the Chrome User Experience Report is intended to let developers discover how their web apps perform in the wild by providing data collected from the [ ... ]



Capsule Nets - The New AI
08/11/2017

The amazing success of convolutional neural networks was the start of the new push to create AI. Now Geoffrey Hinton, Sara Sabour and Nicholas Frosst, members of Google’s Brain Team Toronto, have pu [ ... ]


More News

Last Updated ( Saturday, 18 September 2010 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.