On the new ASP.NET vulnerability

Sep 24, 2010

On the new ASP.NET vulnerability

Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.

However, renowned Microsoft employee Scott Guthrie revealed that the vulnerability was far more serious on his blog, first in his post Important ASP.NET security vulnerability just hours after the MS advisory was released. Two days later he posted FAQ about the ASP.NET security vulnerability, probably to sort out some of the confusion around the vulnerability. Guthrie listed disclosure of viewstate and disclosure of files from the webserver as two separate issues stemming from the same vulnerability. He also provided a workaround to reduce the chances of a successful exploit, and urged all ASP.NET users to quickly implement the temporary fix.

An interesting observation was that a lot of the key information useful for system owners was found way down in the several hundred comments on Guthrie's first blog post. There he stated that not only the traditional Web Forms technology (where viewstate is a central component) was affected, but all web applications running on .Net were equally vulnerable, including MVC applications and also products such as Sharepoint. Suddenly, it was clear that the vulnerability affected the vast majority (if not all) of Microsoft's customers running web applications on .Net. It's a good thing Guthrie summarized the information in his second post.

The Microsoft advisory was updated the next day (Tuesday, European time), and informed that Microsoft had already started seeing limited attacks on the Internet. This is bad, if you host a .Net web application, implement the workaround in the security advisory as soon as possible.

The background
Interestingly enough, practical padding oracle exploits are discussed in a Usenix paper by Rizzo and Duong published in May. The paper primarily targets how the vulnerability can be exploited in the Java Server Faces (JSF) framework, but underscores that the weakness probably exists in other technologies as well. The paper further explains how the padding oracle also can act as an encryption oracle — letting an attacker create valid ciphertexts without knowledge of the encryption key.

As a sidenote, Rizzo and Duong in their paper refer to padding oracle attack pre-
sented by Vaudenay at EuroCrypt 2002, a well known crypto conference. Today's severe vulnerability is in no way new. Its principles have been known for eight years and a practical attack has been known for at least five months after Rizzo gave a presentation of the techniques at the Blackhat Europe conference.

Microsoft will hopefully be able to provide a patch sooner than later. The root cause must be resolved, the oracle must be silenced.