Microsoft Issues Web Apps Security Warning

Microsoft issued a security advisory on 17 September with a workaround for a vulnerability impacting web applications built on ASP.NET.

The advisory was in response to findings by security researchers Juliano Rizzo and Thai Duong, who developed the “Padding Oracle Exploit Tool” to demonstrate the attack. At the heart of the issue is a vulnerability in the way ASP.NET implements encryption to protect data. The problem, Microsoft said, is caused by ASP.NET providing web clients details in error messages when decrypting certain ciphertext.

Padding oracle

“An oracle in the context of cryptography is a system which provides hints as you ask it questions,” explained Kevin Brown, Microsoft Security Response Centre Engineering, in a post on Microsoft’s Security Research & Defense blog. “In this case, there is a vulnerability in ASP.Net which acts as a padding oracle. This allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server.”

“By making many requests the attacker can learn enough to successfully decrypt the rest of the cipher text,” he continued. “The attacker can then alter the plain text and re-encrypt it as well.”

If the ASP.NET application stores sensitive information, such as passwords or database connection strings, in the ViewState object the data could be compromised, Brown said.

“The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack,” he wrote. “If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application.”

“The public disclosure demonstrated using this technique to retrieve the contents of web.config,” he added, noting that any “file in the ASP.Net application which the worker process has access to will be returned to the attacker.”

Microsoft said it is planning an update to address the issue, and as of 17 September was not aware of any attacks targeting the flaw. According to the advisory, using Triple DES encryption instead of AES encryption will have no effect, since the “cryptographic vulnerability being presented involves revealing cryptographic padding errors to a client for algorithms that use PKCS #7 padding” and Triple DES shares that padding mode with AES.

As a workaround, the company recommends enabling ASP.NET custom errors, and mapping all error codes to the same error page to make it more difficult for an attacker to distinguish the different types of errors. Advice on how to do that is contained within the advisory.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago