Microsoft has today published a set of patches for a security flaw in all versions of ASP.NET. The flaw, given an “important” rating by the company, allows information disclosure from any ASP.NET site that used cryptography in certain ways. In practice, almost all ASP.NET sites are impacted by the problem, as a range of built-in features use the affected code.
Initially, the fixes must be manually downloaded and installed. It will be published to Windows Update and Windows Server Update Services within a few days. Though not being pushed out on the normal Patch Tuesday schedule, the fix is fully tested and production-quality. With the fix deployed, the workarounds described in the advisory are no longer required.
ASP.NET is not the only software susceptible to the flaw. Apache MyFaces, for example, has the same issue, as do certain CAPTCHA systems. Frameworks such as Ruby On Rails also include functions vulnerable to the same design flaw, though typically are not themselves flawed. The reason that the flaw isn’t restricted to ASP.NET is that it’s a design fault concerning how the programs use encryption, and both MyFaces and ASP.NET make the same mistake.
The impact of the issue will vary depending on how software uses the encryption-dependent features. ASP.NET is unusually vulnerable, as it makes particularly extensive use of encrypted data. The attack can be used to retrieve any file from a server running ASP.NET, including files containing essential configuration data. The information disclosed can in turn be used for privilege escalation, as shown in this attack against DotNetNuke. Other systems may be vulnerable to a similar attack but with less catastrophic consequences.
In essence, the flaw allows attackers to figure out how to decrypt information that they shouldn’t be able to decrypt, by examining error messages sent by the server. Encryption algorithms generally require their inputs to be multiples of eight or 16 bytes long; to reach the right length, messages are padded with extra data. The attackers send specially manipulated encrypted data to the server, and the server’s error messages allow the attackers to distinguish between data that was properly padded and data that was not, which in turn leaks information about the real (non-padding) data. Ultimately, attackers can decrypt data used by the application and, subject to certain constraints, encrypt data of their own choosing.
In cryptographic terms, any system that can tell an attacker some fact about a piece of encrypted data is named an “oracle.” Since this oracle tells attackers about the validity of data used to pad encrypted messages, the attack has been dubbed a “padding oracle attack” by the researchers who devised it.
What is surprising about this attack is that isn’t especially new. The attack method itself was largely described in 2002, as was a mechanism to subvert the attack and silence the oracle. Application of the attack to common online systems was demonstrated in April of this year at Black Hat Europe, and again in August at USENIX WOOT.
However, it wasn’t until the ekoparty security conference two weeks ago that anyone appeared to take real notice of the attack’s impact, especially against ASP.NET applications. Vulnerabilities were duly recorded and Microsoft began work on producing the patch that was published today.
Read the comments on this post
View full post on Security
Microsoft has released 3 updates to Office and the Forefront Unified Access Gateway (UAG) to address a total of 11 vulnerabilities. Just 1 of the 11 is rated critical, but it’s a doozy.
