I hope that most of you are enjoying Christmas holiday in these days but you should make sure that all your servers are up to date. Yesterday, 29th December, Microsoft released
security bulletin and security update which fixes four security vulnerabilities in ASP.NET. One of them is rated as a critical vulnerability.
Updates can be downloaded and applied through
Windows Update. The vulnerabilities affect all versions of ASP.NET and they are not related to Kentico CMS. Official Microsoft bulletin is
here and
here you can find official knowledge base article about it. Rest of my blogpost describes briefly each of the vulnerabilities.
Insecure Redirect in .NET Form Authentication Vulnerability - applicable on .NET version 2.0 and newer and its severity rating is
moderate. This vulnerability was not publicly disclosed before the update was available. During the form authentication can an attacker spoof return URL which can lead to redirect to attacker's site without user's knowledge. This way the attacker can get confidential information from the user. This attack is usually referred as a
phishing.
ASP.Net Forms Authentication Bypass Vulnerability - applicable on all .NET versions and its severity rating is
critical. This vulnerability was not publicly disclosed before the update was available. For this vulnerability there is a precondition that an attacker must be able to register account in the ASP.NET application and she must know existing account name on the server. Then the attacker can send special request and execute arbitary commands on the site in the context of targeted user. This vulnerability leads to elevation of privileges.
ASP.NET Forms Authentication Ticket Caching Vulnerability - applicable on all .NET versions and its severity rating is
important. This vulnerability was not publicly disclosed before the update was available. This vulnerability is exploitable only if forms authentication with sliding expiration is used. Attacker then can elevate her privileges and run arbitary commands in context of different user.
Collisions in HashTable May Cause DoS Vulnerability - applicable on all .NET version and its severity rating is
important. This vulnerability was published 28th December on conference held by Chaos computer club. See
this link for more info about the session. It affects not only ASP.NET web applications but also several others such as PHP or Java applications. Attacker can consume most of the server resources for several minutes or hours by sending few special requests. After that server is not able to respond to other requests. This attacked is referred as a
DoS. If you are interested in details of this vulnerability see
this document.
As I wrote above, update which fixes these vulnerabilities is available via Windows Update. If you cannot update, search for workarounds in
this security bulletin.
Posted:
12/30/2011 10:19:05 AM by
Dominik Pinter | with 2 comments