When Microsoft comes out with an out of cycle security advisory (and during a holiday week, no less), you know something big is up. This week’s bulletin highlights a denial of service attack and two privilege escalation vulnerabilities that affect web sites built on top of ASP.NET. The most serious privilege escalation vulnerability could allow an attacker to execute commands on a system by sending specially crafted web requests.
The denial of service issue is related to a flaw in the way that ASP.NET (as well as PHP, Ruby and Java) handle the hash tables which are used to pass information from user web inputs to the web server. By sending specially crafted requests to vulnerable web servers, it is possible to tie up all of their CPU resources and make them unavailable to legitimate users. This attack was revealed at this past week’s Chaos Communications Congress in Berlin – you can watch the presentation here.
There is a very good technical description of the DoS problem and attack here.
The DoS flaw is also present in PHP, Python, some Java web frameworks, and Ruby. Apache Tomcat 7.0.23 contains a workaround fix which limits the number of parameters accepted in a POST request. PHP version 5.4.0 will include a workaround fix for this problem, but is not yet ready for production use. Ruby version 1.9 and higher has a fix which solves the problem by randomizing the hash tables.
Given the recent ‘hacktivist’ activity we have been seeing, it would not surprise me if this attack was used against sites in the financial industry as well as in the public sector. In any case, the Microsoft patch is a must for your web facing ASP.NET systems now. The US-CERT’s vulnerability page for this issue is a good place to keep track of vendors’ responses as more platforms are found to be vulnerable.