Microsoft Patch Disclosure
September 28th, 2010
Today, Microsoft released a special out-of-band patch which repairs a vulnerability in ASP.NET that could allow information disclosure.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Attend our upcoming Vulnerability Expert Forum for complete analysis of recent critical vulnerabilities
The eEye Research Team
Wednesday October 13th at
11am PDT / 2pm EDT
Register Now >>
Please note, Microsoft will NOT initially be issuing patches through normal automatic updates. The patches will need to be installed manually through the Microsoft Download Center. After further testing done by Microsoft, they will release the security update through the normal distribution methods.
eEye suggests that all users with Microsoft IIS servers apply this Out-of-Band patch immediately. Those using the VIEWSTATE function should test the impact of this patch on internal applications and network continuity.
For those who would like further information regarding the potential risks and remediation requirements of all patches, please consider attending next month's Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Microsoft Severity Rating: Important
eEye Severity Rating: Critical
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.
- ASP.NET Padding Oracle Vulnerability - CVE-2010-3332
An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.
This vulnerability is exploited by an attacker repeatedly sending and modifying HTTP requests to a web server. Depending on the error returned, the attacker can deduce which encryption scheme the server is using and thus read and write encrypted requests. This can be done within 40 minutes and allows an attacker to send spoofed requests to ScriptResource.axd and request the contents of a file stored on the server. The server receives the malicious encrypted text, which would be used to compromise the server.
If you are using Microsoft IIS for a web server, install the patch immediately. Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response.
Administrators should watch for errors with the following message: "CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.