Microsoft Issues Web Apps Security Warning

Microsoft issued a security advisory on 17 September with a workaround for a vulnerability impacting web applications built on ASP.NET.

The advisory was in response to findings by security researchers Juliano Rizzo and Thai Duong, who developed the “Padding Oracle Exploit Tool” to demonstrate the attack. At the heart of the issue is a vulnerability in the way ASP.NET implements encryption to protect data. The problem, Microsoft said, is caused by ASP.NET providing web clients details in error messages when decrypting certain ciphertext.

Padding oracle

“An oracle in the context of cryptography is a system which provides hints as you ask it questions,” explained Kevin Brown, Microsoft Security Response Centre Engineering, in a post on Microsoft’s Security Research & Defense blog. “In this case, there is a vulnerability in ASP.Net which acts as a padding oracle. This allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server.”

“By making many requests the attacker can learn enough to successfully decrypt the rest of the cipher text,” he continued. “The attacker can then alter the plain text and re-encrypt it as well.”

If the ASP.NET application stores sensitive information, such as passwords or database connection strings, in the ViewState object the data could be compromised, Brown said.

“The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack,” he wrote. “If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application.”

“The public disclosure demonstrated using this technique to retrieve the contents of web.config,” he added, noting that any “file in the ASP.Net application which the worker process has access to will be returned to the attacker.”

Microsoft said it is planning an update to address the issue, and as of 17 September was not aware of any attacks targeting the flaw. According to the advisory, using Triple DES encryption instead of AES encryption will have no effect, since the “cryptographic vulnerability being presented involves revealing cryptographic padding errors to a client for algorithms that use PKCS #7 padding” and Triple DES shares that padding mode with AES.

As a workaround, the company recommends enabling ASP.NET custom errors, and mapping all error codes to the same error page to make it more difficult for an attacker to distinguish the different types of errors. Advice on how to do that is contained within the advisory.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Microsoft Faces EU Antitrust Charges Over Teams

Microsoft faces formal EU antitrust charges over videoconferencing app Teams after concessions to European Commission…

23 hours ago

New Jersey Apple Store Workers Vote Against Unionisation

Workers at New Jersey Apple Store vote against joining union as post-pandemic labour drive at…

24 hours ago

OpenAI Adds Voice Conversation To New ChatGPT Model

Microsoft-backed OpenAI releases new AI model GPT-4o with voice conversation capability, desktop app and updated…

1 day ago

SpaceX Prepares Fourth Starship Test

SpaceX prepares fourth Starship test flight, launches more Starlink satellites, shows EVA suit for commercial…

1 day ago

SpaceX Contractors In Texas Remain Unpaid

SpaceX and its contractors have left construction bills unpaid in Texas, angering many smaller suppliers,…

1 day ago

US To Make 30 Percent Of Advanced Chips By 2032

US to triple domestic chipmaking capacity and control 30 percent of advanced chips by 2032…

1 day ago