Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

Out of Band patch issued for ASP.NET implementations

by

On Thursday, December 29, Microsoft released an out of band patch to address a vulnerability identified in ASP.NET applications. If exploited, the vulnerability will cause a denial of service event. If you have ASP.NET applications on your webserver, it is recommended that this patch be applied as soon as possible.

Please see details at the following URLs –
http://technet.microsoft.com/en-us/security/advisory/2659883
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx
http://blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx
http://blogs.technet.com/b/msrc/archive/2011/12/30/december-2011-out-of-band-security-bulletin-webcast-q-amp-a.aspx

Specific details regarding the exploit
General Information
Executive Summary
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

ASP.Net vulnerability

by Leave a Comment

Update – September 28 – Microsoft to release an Out of Band update for ASP.Net applications. See http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx for additional details.

On September 17, a major vulnerability was identified in all ASP.Net applications. The condition has been recognized by Microsoft and efforts are underway to develop a patch. The URLs provided below include most of the information currently available.  It is recommended that all web administrators that have ASP.Net applications implement a  work around (see customErrors below) that would limit the details provided on web server error messages. 

http://2mw.mcafee.com/2minutebroadcast.asp
Microsoft Issues Workaround for ASP.NET Vulnerability

Microsoft has published a workaround for a security vulnerability in its ASP.NET software which was exposed last week.

The company admitted to the problem in a security advisory published on Friday. “A few hours ago we released a Microsoft security advisory about a vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET 2,” wrote Windows developer Scott Guthrie in a blog post. “This vulnerability was publicly disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround to prevent attackers using this vulnerability against your ASP.NET applications.”

The flaw allows attackers to request and download files from within an ASP.NET application, which could include the web.config file.

Another option for attackers is the ability to decrypt any data sent to a client machine in an encrypted state.

Guthrie explained that the vulnerability requires many access attempts before an attacker could ascertain that it exists. “By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text,” he said.

Administrators should enable the <customErrors> feature of ASP.NET and configure the system to always return the same error message. This will prevent hackers from “distinguishing between the different types of errors that occur on a server”, according to Guthrie.

Microsoft has also released a small code patch for ASP.NET. Affected software includes Windows XP, including SP3 and Professional, Windows Server 2003 and 2008, Windows Vista and Windows 7.

http://blogs.technet.com/b/msrc/archive/2010/09/20/update-to-security-advisory-2416728.aspx
Update to Security Advisory 2416728 – http://www.microsoft.com/technet/security/advisory/2416728.mspx
Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure   

http://blogs.technet.com/b/srd/archive/2010/09/20/additional-information-about-the-asp-net-vulnerability.aspx
Additional Information about the ASP.NET Vulnerability

Update – Additional information on the symptoms of a successful exploitation of the vulnerability
http://blogs.technet.com/b/srd/archive/2010/09/20/additional-information-about-the-asp-net-vulnerability.aspx