Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft published an advisory to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various web platforms.
Suha Can and Jonathan Ness from the Microsoft security research and defence team said the vulnerability could allow an attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers.
“For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100 per cent of one CPU core for between 90 and 110 seconds," they wrote.
"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial-of-service condition for even multi-core servers or clusters of servers."
Announced ahead of the New Year, Dave Forstrom, director of Microsoft Trustworthy Computing, said it was not aware of any attacks using this vulnerability which affected all supported versions of the .NET Framework.
Microsoft recommended customers use the mitigation and workaround described in the advisory to help protect sites against the hash table exploit. The denial-of-service vulnerability affected several vendors' web application platforms, including Microsoft's ASP.NET.
“Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue," Forstrom said.
The advisory said it anticipates the imminent public release of exploit code. Wolfgang Kandek, CTO of Qualys, praised Microsoft's speed in responding to the research by the Chaos Communication Congress.
“The bulletin fixes the denial-of-service attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request," Kandek said.
"The default limit is 1000, which should be enough for normal web applications, but still low enough to neutralise the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.
“Overall the bulletin addresses four issues: CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical; CVE-2011-3414 is the hash table collision denial-of-service issue discussed above and is rated as important; CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability, which is also rated as important; and CVE-2011-3415 is the Insecure Redirect vulnerability, which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.”
This article originally appeared at scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.