The newly disclosed vulnerability in Web application frameworks such as Microsoft's ASP.NET can be exploited to trigger a denial of service on vulnerable Web servers.
has released a workaround for an ASP.NET vulnerability to help protect Websites
against potential denial-of-service (DoS) attacks, according to a security
publicly disclosed vulnerability affects all supported versions of the .NET
framework, but Microsoft is "not aware" of any attacks in the wild
currently exploiting the flaw, Dave Forstrom, director of Microsoft Trustworthy
Computing, wrote on the Microsoft
Security Response Center
blog on Dec. 28. While Microsoft is working on a
patch to address the bug, Forstrom did not indicate when the fix will be
anonymous attacker could exploit the zero-day vulnerability to efficiently
consume all CPU resources on a Web server, resulting in a denial-of-service
condition, Suha Can and Jonathan Ness, MSRC engineers, wrote on the Security
Research and Defense blog.
exploit uses a specially crafted HTTP request containing thousands of form
values to create a hash table that is computationally expensive to process. Any
ASP.NET Website that accepts form data is likely to be vulnerable, as well as
Web servers running the default configuration of Internet Information Services
(IIS) when ASP.NET is enabled, according to the post.
teams are working around the clock worldwide to develop a security update of
appropriate quality to address the issue," Forstrom wrote.
suggested workaround modifies the Web and application host configuration files
to define a maximum limit to the request size that ASP.NET will accept,
according to the security advisory. Decreasing the limit will also lower the "susceptibility"
of the ASP.NET server and the Web application, Microsoft said. The
configuration change will result in the server returning an error whenever a
request exceeding the maximum limit is sent. However, applications that allow
users to upload files may be impacted by the configuration change.
HTTP request that is merely 100KB in size can lock up 100 percent of a single
CPU core for almost 2 minutes on the ASP.NET platform. Attackers could
repeatedly send these requests and cause the server's performance to degrade
significantly and cause a denial of service. Can and Ness said the requests
could even impact multicore servers and server clusters.
exploiting this vulnerability would differ from typical DoS attacks because
they won't require a botnet or a lot of coordination to take the Web server
down, Andrew Storms, director of security operations of nCircle, told eWEEK
. While most DoS attacks rely on a
huge number of small requests to overwhelm a Web server, in this case a single
request can consume a single core for 90 seconds, he said.
up a few of these requests every few minutes, and the site will be essentially
knocked offline," Storms said.
W???lde and Alexander Klink
presented the new way to attack Web Application
Frameworks at the Chaos Communication Congress conference in Germany on Dec.
28. They also posted details of the vulnerability on the gmane.comp.security
full disclosure mailing list
zero-day vulnerability is not unique to ASP.NET, as the list of affected
products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle
Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8, according to the
post on the full disclosure list. While there are no active attacks in the
wild, Microsoft anticipates an "imminent" release of exploit code,
Can and Ness wrote.
predicted other vendors will be making similar zero-day announcements and
coming up with mitigation advice for other platforms. Apache has already updated Tomcat for versions 7.0.x and 6.0.x and a release is planned for 5.5.x, Mark Thomas of the Apache Software Foundation Security
Team told eWEEK.
Other vendors have not responded to queries.
year around the holidays we get a security fire drill, and this year is no
exception," Storms said.
will deliver an emergency patch "pretty quickly," possibly sometime
this week, Storms predicted. Testing and deploying the emergency patch could
pose a challenge for most enterprise IT teams, as they may be "running
skeleton crews," Storms said.
Website owners should review the advisory to "evaluate the
denial-of-service risk" and to implement the workaround and attack
detection mechanisms to protect the sites until a security update is available,
Microsoft recommended. The company is also working with partners through the
Microsoft Active Protections Program to help build protections in other
software products, according to Forstrom.