• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Out-of-Cycle Bulletin Fixes Serious ASP.NET Padding Oracle Vulnerability

September 29, 2010 By The Editor

Summary:

  • This vulnerability affects: All current versions of Microsoft’s .NET Framework
  • How an attacker exploits it: By sending a large number of web requests containing cipher text (and interpreting error responses)
  • Impact: In the worst case, an attacker can gain enough information to read and/or tamper with encrypted data from your web server
  • What to do: Install the proper .NET Framework update immediately (Windows update will not immediately push this update, you should download it manually)

Exposure:

At a cryptography conference in 2002, a researcher introduced a cryptological “side-channel” attack called a padding oracle attack, which attackers can leverage to decrypt Cipher Block Chaining or CBC-mode encryption without knowing the encryption key. Without getting into too much technical detail, block ciphers, like CBC, require that all messages arrive with the exact same number of blocks (multiples of eight bytes). However, the plain text messages you encrypt come in varying lengths, which may not fit perfectly within those specifically-sized boundaries. As a result, cryptographic algorithms have to use padding to fill in the extra, unused portions of each block. In order to check whether or not an encrypted value is padded correctly or not, encryption mechanisms employ something called a padding oracle. The researcher from 2002 found that by sending multiple, incorrectly padded messages to a server, he could interpret the error messages returned by the padding oracle to eventually learn enough to decrypt the server’s encrypted content without knowing the encryption key. The researcher even released a tool called Padding Oracle Exploit Tool (POET), which you can use to leverage this class of vulnerability.

More recently, at the Ekoparty security conference in Argentina, two security researchers reported that Microsoft ASP.NET suffers from this classic padding oracle attack. More specifically, they found a universal padding oracle vulnerability that supposedly affects every ASP.NET web application. They claimed attackers can leverage this flaw to decrypt cookies, view states, form authentication tickets, membership passwords, user data, and anything else encrypted using the ASP.NET framework’s API. As a result of these researcher’s findings, Microsoft has decided to release an out-of-band security update to correct this issue.

According to Microsoft’s out-of-band security bulletin, the ASP.NET components that ship with the .NET Framework suffer from an information disclosure vulnerability due a padding oracle flaw like the one described above. By repeatedly sending web requests containing a cipher text to a vulnerable ASP.NET web server, an attacker could interpret the error messages returned by the web server to eventually gain enough information to read or tamper with encrypted data. This would allow the attacker to gain access to significant amounts of sensitive information from your web server, and in one example, attackers even demonstrated how this leak could be leveraged to attack and potentially gain full access to the server.

Researchers have already released tools and shared examples showing how you can leverage this vulnerability. Furthermore, Microsoft has also seen evidence of attackers leveraging this flaw in the wild. If you have a web server using the .NET Framework, we highly recommend you update it immediately.

For more technical detail about this flaw, check out the articles in the References section below.

Solution Path:

Microsoft has released .NET Framework updates to fix this vulnerability. If you have web servers that use the .NET Framework, you should download, test and deploy the corresponding update immediately:

  • Windows XP Service Pack 3
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241)
    • Microsoft .NET Framework 3.5 (KB2416468)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows XP Professional x64 Edition Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241)
    • Microsoft .NET Framework 3.5 (KB2416468)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2003 Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416451)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241)
    • Microsoft .NET Framework 3.5 (KB2416468)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2003 x64 Edition Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241)
    • Microsoft .NET Framework 3.5 (KB2416468)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2003 with SP2 for Itanium-based Systems
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2418241)
    • Microsoft .NET Framework 3.5 (KB2416468)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Vista Service Pack 1
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416474)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Vista Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416470)
    • Microsoft .NET Framework 3.5 (KB2418240)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Vista x64 Edition Service Pack 1
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416474)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Vista x64 Edition Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416470)
    • Microsoft .NET Framework 3.5 (KB2418240)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2008
    • Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5** (KB2416469)
    • Microsoft .NET Framework 2.0 Service Pack 2** (KB2416474)
    • Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473)
    • Microsoft .NET Framework 4.0** (KB2416472)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2** (KB2416470)
    • Microsoft .NET Framework 3.5** (KB2418240)
    • Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473)
    • Microsoft .NET Framework 4.0** (KB2416472)
  • Windows Server 2008 for x64-based Systems
    • Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5** (KB2416469)
    • Microsoft .NET Framework 2.0 Service Pack 2** (KB2416474)
    • Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473)
    • Microsoft .NET Framework 4.0** (KB2416472)
  • Windows Server 2008 for x64-based Systems Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1** (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2** (KB2416470)
    • Microsoft .NET Framework 3.5** (KB2418240)
    • Microsoft .NET Framework 3.5 Service Pack 1** (KB2416473)
    • Microsoft .NET Framework 4.0** (KB2416472)
  • Windows Server 2008 for Itanium-based Systems
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5 (KB2416469)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416474)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
    • Microsoft .NET Framework 1.1 Service Pack 1 (KB2416447)
    • Microsoft .NET Framework 2.0 Service Pack 2 (KB2416470)
    • Microsoft .NET Framework 3.5 (KB2418240)
    • Microsoft .NET Framework 3.5 Service Pack 1 (KB2416473)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows 7 for 32-bit Systems
    • Microsoft .NET Framework 3.5.1 (KB2416471)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows 7 for x64-based Systems
    • Microsoft .NET Framework 3.5.1 (KB2416471)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2008 R2 for x64-based Systems
    • Microsoft .NET Framework 3.5.1 (KB2416471)
    • Microsoft .NET Framework 4.0 (KB2416472)
  • Windows Server 2008 R2 for Itanium-based Systems
    • Microsoft .NET Framework 3.5.1 (KB2416471)
    • Microsoft .NET Framework 4.0 (KB2416472)

** Server Core Installation Not Affected

For All Users:

This attack leverages normal looking HTTP requests, which you must allow for you users to reach the web. Therefore, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-70
  • Microsoft Security Advisory
  • Microsoft Blog Post 1
  • Microsoft Blog Post 2
  • Technical Write-up on Padding Oracle Attack on ASP.NET
  • Automated Padding Oracle Attacks
  • Ekoparty Paper Description

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: asp.net, Microsoft, padding oracle

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use