Microsoft Releases Critical Workaround For DoS Bug in ASP.Net

Microsoft’s workaround prevents HTTP requests that can occupy all CPU cycles on a Web server

Microsoft has released a workaround for an ASP.Net vulnerability to help protect Websites against potential denial-of-service (DoS) attacks, according to a security advisory.

The publicly disclosed vulnerability affects all supported versions of the .Net framework, but Microsoft is “not aware” of any attacks in the wild currently exploiting the flaw, Dave Forstrom, director of Microsoft Trustworthy Computing, wrote on the Microsoft Security Response Center blog. While Microsoft is working on a patch to address the bug, Forstrom did not indicate when the fix will be available.

CPU cycle hogging

An anonymous attacker could exploit the zero-day vulnerability to efficiently consume all CPU resources on a Web server, resulting in a denial-of-service condition, Suha Can and Jonathan Ness, MSRC engineers, wrote on the Security Research and Defense blog.

The exploit uses a specially crafted HTTP request containing thousands of form values to create a hash table that is computationally expensive to process. Any ASP.Net Website that accepts form data is likely to be vulnerable, as well as Web servers running the default configuration of Internet Information Services (IIS) when ASP.Net is enabled, according to the post.

“Our teams are working around the clock worldwide to develop a security update of appropriate quality to address the issue,” Forstrom wrote.

Microsoft’s suggested workaround modifies the Web and application host configuration files to define a maximum limit to the request size that ASP.Net will accept, according to the security advisory. Decreasing the limit will also lower the “susceptibility” of the ASP.Net server and the Web application, Microsoft said. The configuration change will result in the server returning an error whenever a request exceeding the maximum limit is sent. However, applications that allow users to upload files may be impacted by the configuration change.

An HTTP request that is merely 100KB in size can lock up 100 percent of a single CPU core for almost two minutes on the ASP.Net platform. Attackers could repeatedly send these requests and cause the server’s performance to degrade significantly and cause a denial of service. Can and Ness said the requests could even impact multicore servers and server clusters.

Attacks exploiting this vulnerability would differ from typical DoS attacks because they will not require a botnet or a lot of coordination to take the Web server down, Andrew Storms, director of security operations of nCircle, told eWEEK. While most DoS attacks rely on a huge number of small requests to overwhelm a Web server, in this case a single request can consume a single core for 90 seconds, he said.

“Queue up a few of these requests every few minutes, and the site will be essentially knocked offline,” Storms said.

Chaos revelation

Security researchers Julian Wälde and Alexander Klink presented the new way to attack Web Application Frameworks at the Chaos Communication Congress conference in Germany. They also posted details of the vulnerability on the gmane.comp.security full disclosure mailing list.

The zero-day vulnerability is not unique to ASP.Net, as the list of affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8, according to the post on the full disclosure list. While there are no active attacks in the wild, Microsoft anticipates an “imminent” release of exploit code, Can and Ness wrote.

Storms predicted other vendors will be making similar zero-day announcements and coming up with mitigation advice for other platforms. Apache has already updated Tomcat for versions 7.0.x and 6.0.x and a release is planned for 5.5.x, Mark Thomas of the Apache Software Foundation Security Team told eWEEK. Other vendors have not responded to queries.

“Every year around the holidays we get a security fire drill, and this year is no exception,” Storms said.

Microsoft will deliver an emergency patch “pretty quickly”, possibly sometime this week, Storms predicted. Testing and deploying the emergency patch could pose a challenge for most enterprise IT teams, as they may be “running skeleton crews”, Storms said.

ASP.Net Website owners should review the advisory to “evaluate the denial-of-service risk” and to implement the workaround and attack detection mechanisms to protect the sites until a security update is available, Microsoft recommended. The company is also working with partners through the Microsoft Active Protections Programme to help build protections in other software products, according to Forstrom.