• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Microsoft Releases Out-of-Cycle .NET Framework Security Update

January 3, 2012 By Corey Nachreiner

Summary:

  • These vulnerabilities affect: All versions of Microsoft’s .NET Framework
  • How an attacker exploits it: Multiple ways, including sending specially crafted web requests or enticing users to click maliciously crafted links
  • Impact: Various. In the worst case, an attacker can log in to your web application as another user, without having  that user’s password
  • What to do: Install the proper .NET Framework update immediately, or let Windows Update do it for you.

Exposure:

Last week — following the holiday weekend — Microsoft released a blog post and Security Advisory about a new, publicly disclosed ASP.NET Denial of Service (DoS) vulnerability.

A few days later, they released an out-of-cycle Security Bulletin fixing that .NET Framework vulnerability, and three others. Whether you manage a public web server with ASP.NET applications, or host such .NET applications internally, we highly recommend you download, test, and deploy the appropriate .NET Framework updates as soon as possible.

Microsoft’s out-of-cycle .NET Framework security bulletin describes four vulnerabilities, including the publicly disclosed DoS vulnerability mentioned above. The vulnerabilities have different scopes and impacts. I detail two of the more relevant issues below, in order of severity:

  • ASP.NET Forms Authentication Bypass Flaw – ASP.NET doesn’t properly authenticate specially crafted usernames. If an attacker has (or can create) an account on your ASP.NET application, and knows the username of a victim, the attacker can send a specially crafted authentication request that gives him access to the victim’s account without needing a valid password. However, your ASP.NET web site or application is only vulnerable to this when you’ve enabled “Forms Authentication.”
  • ASP.NET HashTable Collision DoS Vulnerability – Without going into great technical detail, ASP.NET suffers from a flaw involving the way it hashes specially crafted requests. In short, by sending specially crafted ASP.NET requests to you web application, an attacker can fill ASP.NET’s hash table with colliding hashes, which can greatly degrade the performance of your ASP.NET application or web site. If you are technically inclined, and would like more details, we recommend reading n.run’s advisory concerning this flaw.
Microsoft’s bulletin also fixes a less severe privilege escalation vulnerability, as well as an insecure URL redirect flaw. For more details on these two flaws, see the “Vulnerability Information” section of Microsoft’s bulletin.

Solution Path:

Microsoft has released .NET Framework updates to fix these vulnerabilitie. If you have web servers or clients that use the .NET Framework, you should download, test and deploy the corresponding updates immediately.

Due to the exhaustive and varied nature of .NET Framework installations (1.1, 2.0, 3.5.x, and 4.0 running on many Windows platforms), we will not include links to all the updates here. We recommend you visit the “Affected and Non-Affected Software” section of Microsoft’s bulletin for those details.

If possible, we also recommend you use Windows Update to automatically download and install the appropriate .NET Framework on client computers. That said, you may still want to keep production servers on a manual update process, to avoid upgrade-related problems that could affect business-critical machines.

For All Users:

This attack typically leverages normal looking HTTP requests, which you must allow for users to reach your web application. Therefore, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS11-100
  • Microsoft Security Advisory
  • Microsoft Security Blog Post
  • Technical Write-up on ASP.NET Hash Table DoS Flaw

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: asp.net, Microsoft, out-of-cycle

Comments

  1. Jake H says

    January 3, 2012 at 7:28 pm

    If we have IPS enabled, are we protected?

    Reply
    • Corey Nachreiner says

      January 5, 2012 at 10:21 am

      Jake,

      That is a great and very valid question.

      We outsource our IPS signatures to a best-in-class IPS vendor. The pros to doing this are that we get rapid, high-quality signatures that have great catch rates in our tests (we use some industry-standard IPS testing equipment to validate all our signatures). The con is… since we don’t manage the signature library, I’m limited in the tools I have locally to search signatures. We have our security portal:

      (http://www.watchguard.com/SecurityPortal/ThreatDB.aspx)

      However, its search is based on rule ID and name, it doesn’t search the other signature fields. Thus, a search for MS11-xxx, won’t have hits, even though we have many signatures for many MS bulletins last year.

      So at this point, I am unsure if we have a MS11-100 signature yet. We have already opened a ticket with our partner though for this signature. If we don’t already have one, they well create one very quickly (their turn around was been very quick for our requests). Anecdotally, I can tell you when I’ve pointed out other zero day Microsoft exploits in the past (which had exploit code), our partner had created signatures for them almost immediately, and had tested the signatures and added them to our database within days.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use