A few hours ago Microsoft has released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.
This vulnerability was publically disclosed late Friday at a security conference. Microsoft recommended all customers to immediately apply a workaround (Scott Gu’s Weblog) to prevent attackers from using this vulnerability against your ASP.NET applications.
What does the vulnerability enable?
An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config (which often contains sensitive data). This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. The attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).
How to Workaround The Vulnerability
A workaround presented by @scottgu can be used to prevent this vulnerability by enabling the <customErrors> feature of ASP.NET, and explicitly configuring your applications to always return the same error page – regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.
Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.
How to Find More Information about this Vulnerability
You can find more info about this vulnerability from:
- Microsoft Security Advisory 2416728
- Understanding the ASP.NET Vulnerability
- Microsoft Security Response Center Blog Post
- Scott Guthrie’s Weblog
Affected OS varies as large from all versions of .Net framework 1.1 on Windows XP Service Pack 3 to Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4.0 on Windows 7 for 32-bit Systems and 64 bit Systems.