There seems to be a fairly serious attack being exploited in the wild that targets vulnerable ASP.Net web applications, so far there is a temporary fix but no official announcement on when a patch will be issued. The next scheduled patches should be pushed out on October 12th.
If you had set up your server to the ‘best standards’ you shouldn’t be vulnerable to this anyway as the data in your config files should be encrypted, but honestly..how many people really take such precautions?
As the exploit is being used in the wild, I’d say not many.
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.
The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.
Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system’s most sensitive configuration files.
“There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft’s Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.)
It’s actually another fairly complex and interesting example of a side channel attack. The last time we reported on this kind of attack was when Website Auto-complete Leaked Data Even Over Encrypted Link.
This is certainly not a straight forward attack and I wouldn’t expect to be seeing widespread hacks using this technique, but skilled attackers could leverage this when doing focused attacks on certain organisations or web properties.
Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents.
But by bombarding a vulnerable server with large amounts of corrupted data and then carefully analyzing the error messages that result, attackers can deduce the key used to encrypt the files. The side-channel attack can be used to convert virtually any file of the attacker’s choosing.
The temporary fix involves reconfiguring applications so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors A script to identify the oracles that needlessly reveal important cryptographic clues is here.
Thai Duong, one of the researchers who disclosed the vulnerability last week, said here that simply turning off custom error messages was not enough to ward off exploits because attackers can still measure the different amounts of time required for certain errors to be returned.
Details from the ASP.Net Blog including the workaround are available here:
Important: ASP.NET Security Vulnerability
There’s also a FAQ for the vulnerability here:
Frequently Asked Questions about the ASP.NET Security Vulnerability
More technical details about the nature of the attack are on the technet blog here:
Understanding the ASP.NET Vulnerability
Source: The Register