Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.
The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.
Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.
- Advisory by oCERT – lists all affected platforms and technologies
- Advisory by nruns – technical detail
- Presentation by Alexander Klink and Julian Wälde at 28c3
- Microsoft SRD blog post on the workarounds available
- SRD blog post with implementation details and improved Snort rules
- KB2659883 – original Microsoft advisory