A new problem has been uncovered that allows an attacker to obtain encrypted session cookies or other encrypted/protected data stored on any version of ASP.NET from Windows XP to Windows 7 and 2008 R2.  When properly exploited, the attacker gets full administrative rights to the application and gets access to files such as the web.config file which often stores sensitive information and passwords.  From ComputerWorld:

Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text.

It will take some time for Microsoft to patch this problem across all platforms.  It is possible to update your application to be immune to this attack, and I recommend patching your application as soon as possible.  From Scott Guthrie of Microsoft:

A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page – regardless of the error encountered on the server…

Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.

This link has detailed instructions on how to protect against this attack in each platform. Happy patching.

One thought on “Major ASP.NET Vulnerability

  1. Peter Hesse says:

    Urg. Some updates in this threatpost article. Seems the current workarounds aren’t a guarantee of safety. Microsoft will be pushing an emergency fix very soon now.

Comments are closed.