Hackers don't sleep during the Christmas time

   —   
I hope that most of you are enjoying Christmas holiday in these days but you should make sure that all your servers are up to date. Yesterday, 29th December, Microsoft released security bulletin and security update which fixes four security vulnerabilities in ASP.NET. One of them is rated as a critical vulnerability.
Updates can be downloaded and applied through Windows Update. The vulnerabilities affect all versions of ASP.NET and they are not related to Kentico CMS. Official Microsoft bulletin is here and here you can find official knowledge base article about it. Rest of my blogpost describes briefly each of the vulnerabilities.

Insecure Redirect in .NET Form Authentication Vulnerability - applicable on .NET version 2.0 and newer and its severity rating is moderate. This vulnerability was not publicly disclosed before the update was available. During the form authentication can an attacker spoof return URL which can lead to redirect to attacker's site without user's knowledge. This way the attacker can get confidential information from the user. This attack is usually referred as a phishing.

ASP.Net Forms Authentication Bypass Vulnerability - applicable on all .NET versions and its severity rating is critical. This vulnerability was not publicly disclosed before the update was available. For this vulnerability there is a precondition that an attacker must be able to register account in the ASP.NET application and she must know existing account name on the server. Then the attacker can send special request and execute arbitary commands on the site in the context of targeted user. This vulnerability leads to elevation of privileges.

ASP.NET Forms Authentication Ticket Caching Vulnerability - applicable on all .NET versions and its severity rating is important. This vulnerability was not publicly disclosed before the update was available. This vulnerability is exploitable only if forms authentication with sliding expiration is used. Attacker then can elevate her privileges and run arbitary commands in context of different user.

Collisions in HashTable May Cause DoS Vulnerability - applicable on all .NET version and its severity rating is important. This vulnerability was published 28th December on conference held by Chaos computer club. See this link for more info about the session. It affects not only ASP.NET web applications but also several others such as PHP or Java applications. Attacker can consume most of the server resources for several minutes or hours by sending few special requests. After that server is not able to respond to other requests. This attacked is referred as a DoS. If you are interested in details of this vulnerability see this document.

As I wrote above, update which fixes these vulnerabilities is available via Windows Update. If you cannot update, search for workarounds in this security bulletin.


Share this article on   LinkedIn

Dominik Pinter

I'm a fan of cloud computing (primarily Windows Azure) and I really like to dig into web application security. My blog is focused on everything related to Kentico, .NET Framework, Cloud platforms and web application security.

Comments

kentico_dominikp commented on

Hi Gareth,
according to Scott Guthrie's answer on his blog (http://weblogs.asp.net/scottgu/archive/2011/12/28/asp-net-security-update-shipping-thursday-dec-29th.aspx) number of POST parameters is limited to 1000 by default. This shouldn't be problem for Kentico CMS since we don't have forms containing 1000 fields or so. However, you can create your own form with unlimited number of fields using for example our "on-line forms" functionality. If you need forms with fields above 1000 you can change default behaviour with following key:

<appSettings>

<add key="aspnet:MaxHttpCollectionKeys" value="<your desired number>"/>

</appSettings>

Gareth commented on

any updates on how this effects kentico?

the update limits the number of post and viewstate "veriables" to 500