Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.
However, renowned Microsoft employee Scott Guthrie revealed that the vulnerability was far more serious on his blog, first in his post Important ASP.NET security vulnerability just hours after the MS advisory was released. Two days later he posted FAQ about the ASP.NET security vulnerability, probably to sort out some of the confusion around the vulnerability. Guthrie listed disclosure of viewstate and disclosure of files from the webserver as two separate issues stemming from the same vulnerability. He also provided a workaround to reduce the chances of a successful exploit, and urged all ASP.NET users to quickly implement the temporary fix.
An interesting observation was that a lot of the key information useful for system owners was found way down in the several hundred comments on Guthrie's first blog post. There he stated that not only the traditional Web Forms technology (where viewstate is a central component) was affected, but all web applications running on .Net were equally vulnerable, including MVC applications and also products such as Sharepoint. Suddenly, it was clear that the vulnerability affected the vast majority (if not all) of Microsoft's customers running web applications on .Net. It's a good thing Guthrie summarized the information in his second post.
The Microsoft advisory was updated the next day (Tuesday, European time), and informed that Microsoft had already started seeing limited attacks on the Internet. This is bad, if you host a .Net web application, implement the workaround in the security advisory as soon as possible.
The background
Interestingly enough, practical padding oracle exploits are discussed in a Usenix paper by Rizzo and Duong published in May. The paper primarily targets how the vulnerability can be exploited in the Java Server Faces (JSF) framework, but underscores that the weakness probably exists in other technologies as well. The paper further explains how the padding oracle also can act as an encryption oracle — letting an attacker create valid ciphertexts without knowledge of the encryption key.
As a sidenote, Rizzo and Duong in their paper refer to padding oracle attack pre-
sented by Vaudenay at EuroCrypt 2002, a well known crypto conference. Today's severe vulnerability is in no way new. Its principles have been known for eight years and a practical attack has been known for at least five months after Rizzo gave a presentation of the techniques at the Blackhat Europe conference.
Microsoft will hopefully be able to provide a patch sooner than later. The root cause must be resolved, the oracle must be silenced.
Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.
Disclaimer
Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).
Subscribe to:
Post Comments (Atom)
Copyright notice
© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
-
Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win...
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr...
-
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
-
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload the...
-
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a...
-
Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encry...
louboutin pas cher
ReplyDeleteferragamo belt
mcm outlet
patriots jerseys
bulls jerseys
adidas soccer shoes
giuseppe zanotti shoes
coach factory outlet
timberland boots
salvatore ferragamo
chenlina20170421
ugg shoes
ReplyDeletecanada goose jackets
coach outlet store
kate spade handbags
adidas shoes
jordan retro
kate spade outlet store
coach outlet store
nike air max
coach factory outlet
12.09linpingping
I always like to find something new in the Internet. Few weeks ago I found https://domyhomework.guru/blog/how-to-focus-on-homework and now I know how to concentrate on my homework.
ReplyDeleteThis article is interesting and useful. Thank you for sharing. And let me share an article about health that God willing will be very useful. Thank you :)
ReplyDeleteObat Alami Menurunkan tekanan Darah Tinggi
Obat Penyakit kulit Eksim
Obat Benjolan Di Ketiak
Cara Mengobati Kencing Tersendat
Obat Tradisional Telinga Berdengung
Cara Mengobati Prurigo
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeletepost free classified ads in india
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeleteScaffolding Dealers in Chennai
Aluminium Scaffolding Dealers in Chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeletescaffolding dealers in chennai
aluminium scaffolding dealers in chennai
carlla poggenpoel, kelly khumalo husband, zoocci coke dope anxiety, chad da don new album, chad da don album, emtee, chad da don ft emtee, kelly khumalo, chad da don ft emtee download, chad da don album, chad da don ft emtee mp3, chad da don album download, chad da don ft emtee mp3 download, kelly khumalo and chad da don, fakaza, chad da don ft emtee remix, chad da don instagram, flexyjam, aka, chad da don new album, jason noah ft chad da don, kelly khumalo instagram, chad da don new girlfriend, youngstacpt, kelly khumalo husband, zoocci coke dope anxiety, fakaza.com, chad da don wife, carlla poggenpoel
ReplyDeleteASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic websites, applications and services. This platform is very useful for us. Assignment writing services.
ReplyDeleteskycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
google 3676
ReplyDeletegoogle 3677
google 3678
google 3679
google 3680
google 3681
Thank you for posting such a great article. Keep it up mate.
ReplyDeletePractically App | Practically App Download | Practically App for PC
i feel happy that you are sharing the security problem you are facing it may help others to protect their site as much as they can vulnerability is a big issue for the software like i have known operations assignment help uk service they are pretty good assignment helpers they have a very good service and a secure site it is. i suggest you all to must visit their site to check the service and security.
ReplyDeletereplica louis vuitton bags q12 i2l17m5o80 replica designer bags wholesale r60 q6v77a0i70 bags replica ysl q06 l0i74z7i94
ReplyDeleteทางเข้าslot joker123 สามารถ เข้า ต้องการลงทะเบียนเป็นสมาชิก PG SLOT ตอนไหนก็ได้ สมัครได้เลย การลงทะเบียนสมัครสมาชิกแบบไม่จำกัดเวลา สล็อต ทำให้บรรดานักเล่นการพนันเยอะมาก Gaming
ReplyDeleteYou have shared a very informative article with us and I am really inspired by your article writing skills. I always come to your post for the latest tech updates. Many thanks for sharing this article. Now it's time to avail https://phxcarsservice.com/ for more information.
ReplyDelete