Tweet

Microsoft has released an advisory alerting its users about a critical vulnerability in ASP.NET (CVE-2011-3414). An attacker could potentially bring down a server (Denial of Service) with specially crafted requests. Given that all versions of ASP.NET are vulnerable, its exposure is pretty big. This advisory was in response to a public advisory presented in the 28th Chaos Communication Congress.

The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

Update as of January 9, 2012,11:00 PM PST

The Microsoft out of band update also addressed three other vulnerabilities:

CVE-2011-3415:

This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.

CVE-2011-3416:

This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.

CVE-2011-3417:

This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

• 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
• 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
• 1000128—HTTP Protocol Decoding