Microsoft warns of in-the-wild attacks on web app flaw
Time to gag your ASP.Net oracle
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.
The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.
Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files.
“There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft's Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.)
Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents.
But by bombarding a vulnerable server with large amounts of corrupted data and then carefully analyzing the error messages that result, attackers can deduce the key used to encrypt the files. The side-channel attack can be used to convert virtually any file of the attacker's choosing.
The temporary fix involves reconfiguring applications so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors A script to identify the oracles that needlessly reveal important cryptographic clues is here.
Thai Duong, one of the researchers who disclosed the vulnerability last week, said here that simply turning off custom error messages was not enough to ward off exploits because attackers can still measure the different amounts of time required for certain errors to be returned.
Microsoft's Guthrie said versions 3.5 SP1 or 4.0 of the .Net platform on which the applications run have protections to prevent such timing analysis. They include an option in the customErrors feature that introduces a random delay in the error page. He recommends turning it on and configuring apps to return precisely the same error response regardless of the error encountered on the server.
Microsoft hasn't said when it plans to issue a permanent fix. Its next regular patch release is scheduled for October 12. ®