Flaw Affecting ASP.NET Apps Now Being Exploited

Microsoft has issued a new security advisory about a vulnerability in the encryption system used with ASP.NET. Late Monday, Microsoft published additional information about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could lead to information disclosure, such as revealing password information. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, including some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post stated the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appeared to have different workarounds, depending on the ASP.NET version used, as this blog by Corporate Vice President of Microsoft's .NET Developer Platform Scott Guthrie explained. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also pointed to a new Microsoft forum to get answers on the topic.

Microsoft is proposing a workaround and a way to assess whether the user's ASP.NET installation is vulnerable. As of Monday, Microsoft is aware of "limited attacks" using this vulnerability. The security team was working on a security update for the flaw, according to the advisory.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 described the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.

Microsoft's workaround for the flaw, as provided in its security advisory, is to make a configuration change that enables "ASP.NET custom errors." Instead of allowing the server's oracle to sing out error messages that could enable an attacker to gain information from the WEB.CONFIG file, this workaround returns a single file after encountering errors. The workaround doesn't fix the flaw, but it helps shutdown the information flow.

Microsoft provided a script in its security and defense blog post that allows IT pros to test whether their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • stylized illustration of a desktop, laptop, tablet, and smartphone all displaying an orange AI icon

    Survey: AI Shifting from Cloud to PCs

    A recent Intel-commissioned report identifies a significant shift in AI adoption, moving away from the cloud and closer to the user. Businesses are increasingly turning to the specialized hardware of AI PCs, the survey found, recognizing their potential not just for productivity gains, but for revolutionizing IT efficiency, fortifying data security, and delivering a compelling return on investment by bringing AI capabilities directly to the edge.

  • cybersecurity book with a shield and padlock

    Proposed NIST Cybersecurity Guidelines Aim to Safeguard AI Systems

    The National Institute of Standards and Technology has announced plans to issue a new set of cybersecurity guidelines aimed at safeguarding artificial intelligence systems, citing rising concerns over risks tied to generative models, predictive analytics, and autonomous agents.

  • open laptop with various educational materials like charts, quizzes, and documents emerging from the screen

    Pear Deck Learning Debuts New AI Features

    GoGuardian recently introduced new artificial intelligence features within its Pear Deck Learning curriculum and instruction platform, designed to aid educators throughout their teaching journey — from lesson planning to assessment.

  • students raising their hands and participating in a classroom discussion

    Report Explores Link Between Student Engagement and Learning

    Over 90% of teachers, principals, and superintendents agree that student engagement is a critical metric for understanding overall achievement, according to a new survey report from Discovery Education.