Important: ASP.NET Security Vulnerability

\r\n\r\nA few hours ago Microsoft released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.\r\n\r\nThis vulnerability was publically disclosed late Friday at a security conference.  We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.\r\n

What does the vulnerability enable?

\r\nAn attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).\r\n\r\nAt attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).\r\n

How the Vulnerability Works

\r\nTo understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server.  By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.\r\n

How to Workaround The Vulnerability

\r\nA workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page – regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.\r\n\r\nImportant: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.\r\n

Enabling the Workaround on ASP.NET V1.0 to V3.5

\r\nIf you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:\r\n\r\n1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.\r\n\r\n2) Create or modify the <customErrors> section of the web.config file to have the below settings:\r\n

\r\n
<configuration>\r\n   <system.web>\r\n      <customErrors mode="On" defaultRedirect="~/error.html" />\r\n   </system.web>\r\n</configuration>

\r\n

\r\n3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.\r\n\r\nNotes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page.  There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section.  This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.\r\n

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

\r\nIf you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:\r\n\r\n1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.\r\n\r\n2) Create or modify the <customErrors> section of the web.config file to have the below settings.  Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:\r\n

\r\n
<configuration>\r\n   <system.web>\r\n     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />\r\n   </system.web>\r\n</configuration>

\r\n

\r\n3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.\r\n\r\n4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.\r\n\r\nVB Version\r\n\r\nBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:\r\n

\r\n
<%@ Page Language="VB" AutoEventWireup="true" %>\r\n<%@ Import Namespace="System.Security.Cryptography" %>\r\n<%@ Import Namespace="System.Threading" %>\r\n\r\n<script runat="server">\r\n    Sub Page_Load()\r\n        Dim delay As Byte() = New Byte(0) {}\r\n        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\n\r\n        prng.GetBytes(delay)\r\n        Thread.Sleep(CType(delay(0), Integer))\r\n\r\n        Dim disposable As IDisposable = TryCast(prng, IDisposable)\r\n        If Not disposable Is Nothing Then\r\n            disposable.Dispose()\r\n        End If\r\n    End Sub\r\n</script>\r\n\r\n<html>\r\n<head runat="server">\r\n    <title>Error</title>\r\n</head>\r\n<body>\r\n    <div>\r\n        Sorry - an error occured\r\n    </div>\r\n</body>\r\n</html>

\r\n

\r\nC# Version\r\n\r\nBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:\r\n

\r\n
<%@ Page Language="C#" AutoEventWireup="true" %>\r\n<%@ Import Namespace="System.Security.Cryptography" %>\r\n<%@ Import Namespace="System.Threading" %>\r\n\r\n<script runat="server">\r\n   void Page_Load() {\r\n      byte[] delay = new byte[1];\r\n      RandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\n\r\n      prng.GetBytes(delay);\r\n      Thread.Sleep((int)delay[0]);\r\n\r\n      IDisposable disposable = prng as IDisposable;\r\n      if (disposable != null) { disposable.Dispose(); }\r\n    }\r\n</script>\r\n\r\n<html>\r\n<head runat="server">\r\n    <title>Error</title>\r\n</head>\r\n<body>\r\n    <div>\r\n        An error occurred while processing your request.\r\n    </div>\r\n</body>\r\n</html>

\r\n

\r\n

How to Verify if the Workaround is Enabled

\r\nOnce you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx\r\n\r\nIf you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly.  If you see a standard ASP.NET error then it is likely that you missed one of the steps above.  To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.\r\n

How to Find Vulnerable ASP.NET Applications on Your Web Server

\r\nhttp://asp.net have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.\r\n\r\nYou can download the .vbs script here.  Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk.  Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server.  It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.\r\n\r\ncommand[1]\r\n\r\nIt will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it).  It will print “ok” for each application web.config file it finds that is fine.  This should hopefully make it easier to locate issues.\r\n\r\nNote: http://asp.net have developed this detection script over the last few hours, and will be refining it further in the future.  I will post an update in this section each time we make a change to it.\r\n

How to Find More Information about this Vulnerability

\r\nYou can learn more about this vulnerability from:\r\n

\r\n

Forum for Questions

\r\nThere is a dedicated forum on the www.asp.net site to help answer questions about this vulnerability.\r\n\r\nPost questions here to ask questions and get help about this vulnerability.\r\n

Summary

\r\nI will post more details as I learn more, and will also be post the patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).\r\n\r\nUntil then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.\r\n\r\nThis article applies on:\r\n

\r\n
\r\n
\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

Operating System Component
Windows XP
Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 Microsoft .NET Framework 1.0 Service Pack 3
Windows XP Service Pack 3 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista
Windows Vista Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista x64 Edition Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008
Windows Server 2008 for 32-bit Systems** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for 32-bit Systems Service Pack 2** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for x64-based Systems** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for x64-based Systems Service Pack 2** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows 7
Windows 7 for 32-bit Systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows 7 for x64-based Systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems* Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 R2 for Itanium-based systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0

\r\n*Server Core installation affected. This vulnerability applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\n**Server Core installation not affected. This vulnerability does not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\n

4 thoughts on “Important: ASP.NET Security Vulnerability”

  1. - Please make sure to also map all custom errors to a single error page. It is not enough to simply enable customErrors. You also need to specify the defaultRedirect attribute and make sure that there are no sub elements within the section. The post above describes how to do this.\r\n- Encrypting your connection strings has always been our recommended best practice and prevents someone from identifying them if the web.config file is compromised. Having said that, you want defense in depth and so do not want the web.config file ever exposed.\r\n- It also impacts Sharepoint and ASP.NET MVC.\r\n- This vulnerability is in our ASP.NET implementation (and will be fixed in a patch). \r\n- I’m not sure if Mono has the same bug.\r\n- This vulnerability impacts ASP.NET resources (not just ASPX pages). You shouldn’t need to make any changes to the custom error pages of IIS.\r\n- The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). It’s expected MS obviously release a patch for this soon – until then the above workaround closes the attack vector.\r\n- I would recommend temporarily updating the module to always redirect to the search page. One of the ways this attack works is that looks for differentiation between 404s and 500 errors. Always returning the same HTTP code and sending them to the same place is one way to help block it.\r\n\r\nNote that when the patch comes out to fix this, you won’t need to do this (and can revert back to the old behavior). But for right now I’d recommend not differentiating between 404s and 500s to clients.

  2. Update on ASP.NET Vulnerability\n\nEarlier this week We posted about an ASP.NET Vulnerability.\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\nRevised Workaround and Additional URLScan Step\n\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\nInstall and Enable IIS URLScan with a Custom Rule\n\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\n\n * x86 Version\n * x64 Version\n\nIt takes less than a minute to install on your server.\nAdd an Addition URL Scan Rule\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:[CODE]\n\n %windir%\system32\inetsrv\urlscan\UrlScan.ini\n\n[/CODE]Near the bottom of the UrlScan.ini file you

Comments are closed.