Frequently Asked Questions about the ASP.NET Security Vulnerability

Two days ago I published an important blog post about a security vulnerability in ASP.NET.  In it I discussed a workaround that we recommend customers use to help prevent attackers from using the vulnerability against your applications.

Below are answers to some common questions people have asked since then about the vulnerability.

Important Update: You can now download the official security patch update here.  Please install it ASAP on your servers – it is the only way to protect against the vulnerability.

Is Microsoft going to release an update to fix the vulnerability?

Yes.  We are working on an update to ASP.NET that we will release via Windows Update once it has been thoroughly tested and is ready for broad distribution.

Until the update is available, we will also publish details on workarounds (like the one described in this post) that can be applied immediately to help protect against the vulnerability.  Note that the workarounds are temporary - and will not be required once the update fixes the vulnerability in the underlying products.  They are intended to provide steps that you can take immediately until the update is available.

Is this an issue in ASP.NET or is it some cryptographic vulnerability?

This is a vulnerability in how ASP.NET uses cryptography in some circumstances that enables side-channel leaks through error responses.  The current ASP.NET use of encryption padding provides information in error responses that can be used by a malicious party.  We will be fixing this vulnerability in the security update.

Does this affect both ASP.NET Web Forms and ASP.NET MVC?

Yes – the publicly disclosed exploit can be used against all types of ASP.NET Applications (including both Web Forms and MVC).

Does this affect SharePoint?

Yes – the publicly disclosed exploit can also be used against SharePoint 2010.  The SharePoint team recently published a blog post that describes a workaround you can apply until we release the security update.

What would an attack look like on the network or in my logs?

The publicly disclosed exploit would cause the web server to generate thousands (or more likely tens of thousands) of HTTP 500 and 404 error responses to requests from a malicious client.

You can use stateful filters in your firewall or intrusion detection systems on your network to detect such patterns and block such clients.  The Dynamic IP Restrictions module supported by IIS 7 can also be used to block these types of attacks.

An attack attempt like this should also generate thousands of warnings in the application event log of your server similar to:

Event code: 3005

Event message: An unhandled exception has occurred.

Event time: 11/11/1111 11:11:11 AM

Application information:

    Application domain: c1db5830-1-129291000036654651

    Application Virtual Path: /

Exception information:

    Exception type: CryptographicException

    Exception message: Padding is invalid and cannot be removed.

Note that there are non-attack reasons to see this error as well (including cases where you have mismatched keys on a web-farm, or a search engine is following links incorrectly, etc), so its presence does not necessarily indicate an attack. 

The exception also does not mean that an attack was successful.  Implementing the <customErrors> workaround we have provided can protect your application from the public exploit, and ensure that these exceptions do not disclose information that an attacker can use against the application.

What does the <customErrors> workaround do?

A workaround you can use to protect your application from the public exploit is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error response - regardless of the error encountered on the server.  By mapping all error pages to a single error page, you can make it more difficult for an attacker using the public exploit to distinguish between the different types of errors that occur on a server. I covered how to implement the workaround in this blog post.

If you are using .NET Framework version 3.5 SP1 or 4.0, the workaround provides further protection by also helping to mitigate against potential timing analysis attacks.  The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page.  These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error.

Can I configure a custom 404 error page response and a default redirect for all other errors?

No. By doing this you are still letting an attacker draw distinction between a 404 and other errors. Homogenizing errors is a crucial component to mitigating this attack.  Note that this is a workaround until a security patch is available to fix the underlying product vulnerability. This workaround will not be required once we release a security update.

Am I vulnerable if I have my own custom error module?

If the responses that are sent out from your custom logging module do not let the client distinguish between error responses either through its content or time that it takes to serve out, then such a module is an adequate replacement for the customErrors workaround. These responses include both the entire HTTP response and the HTTP error code. If any of the above is not true at all times, then this is not sufficient.  Instead you should send out the same error response for all errors until the security update is available to fix the underlying vulnerability.

Should I be concerned about this vulnerability if I don’t store any sensitive information in my viewstate?

Yes you should.  There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file.  You should apply the workaround to block the padding oracle attack in its initial stage of the attack.  The security update will fix this vulnerability.

What are best practices to secure my data within the web.config file?

It is always a best practice to encrypt sensitive configuration data within web.config files. That way if your web.config file is ever exposed, attackers can not use its contents maliciously.  This MSDN documentation describes how to encrypt web.config file configuration sections: http://msdn.microsoft.com/en-us/library/zhhddkxy(VS.80).aspx.  This tutorial also provides more samples of how to encrypt web.config file contents: http://www.4guysfromrolla.com/articles/021506-1.aspx

Why am I getting an error running the vulnerability detection .vbs script?

In my initial blog post I pointed at a .vbs script that you can run against a server to identify any applications within it that need to have their <customErrors> sections updated as a workaround against the publicly disclosed exploit. 

On IIS 7, the script requires you to have the IIS 6 management compatibility feature installed to be able to use this script.  To enable this, run Add/Remove Programs on workstations and Add Web Server Role Services on server operating systems and select the IIS 6.0 Management Compatibility feature under the “Internet Information Services” feature area. If this feature is already installed, please ensure that you are running the script with Administrator privileges.

Summary

We will post more information as our investigations continue, and we will post security advisory updates if the situation changes.  You can learn more about this vulnerability from:

Please post specific questions about the vulnerability in this forum on the www.asp.net web-site.

Important Update: You can now download the official security patch update here.  Please install it ASAP on your servers – it is the only way to protect against the vulnerability.

Thanks,

Scott

100 Comments

  • In our application, we catch exceptions in Global.asax and *redirect* to an error page. Does it make sense then to use *ResponseRedirect* instead of *ResponseRewrite* and specify the same error page?

  • @Troy Hunt,

    >>>>>>> Scott, can you comment on whether the pre-.NET3.5 SP1 error handling is more at risk due to its inability to employ response rewriting? Given your suggestion of a random sleep time employed in the error page won't do any good in this situation, are earlier versions of .NET more vulnerable to timing attacks? Is there an advantage to be gained by upgrading apps to newer versions of the framework?

    I would not recommend upgrading as a way to make yourself less vulnerable as this time. We have not yet seen the actual exploit code that was publicly demonstrated, but we believe it uses several attack vectors on different versions of .NET. We are working to patch all known and suspected vectors right now. I would recommend holding off upgrading unless we discover more information that says that it makes you more secure (in which case we will share it as a workaround).

    Thanks,

    Scott

  • Thank you and your team for responding to this issue so quickly. I'll post my followup questions on the forum link provided.

  • @Richard,

    >>>>>>>> In our application, we catch exceptions in Global.asax and *redirect* to an error page. Does it make sense then to use *ResponseRedirect* instead of *ResponseRewrite* and specify the same error page?

    I'd recommend not sharing an HTTP error code and send back the same HTML error response for errors. Doing either a redirect or sending back the response itself is probably fine either way. If you wanted to, you could also use the timing logic we put in the workaround to add a little random timing noise to the error handler response time.

    Hope this helps,

    Scott

  • What about Azure? I have sites that are hosted on azure, what can I do?

    Regards,

    Rudi

  • Are there laws to protect consumers from the reckless hackers who publicised these vulnerabilities without working with the vendor? There has to be some penalty for them, or other people who try to make a name for themselves by sharing unnecessary details that cause a greater harm.

  • @ScottGu - you specifically mention SharePoint 2010. Does it imply that vulnerability doesn't apply to SharePoint 2007?

    If it does - what is the guidance? Strangely - SharePoint team is silent on that as well. There are more sites we have for 2007 to take care of today, than for 2010.

    Appreciate all the effort that is going into this.

    --Sharad

  • @Stefan,

    >>>>>>> Scott have you seen this message?

    There are a couple of different attack vectors out there, and they differ somewhat on the different versions of ASP.NET. Right now we believe the workaround guidance we've posted closes the attack vector that was used in the public demonstration for .NET 3.5 and below using the static error file.

    Hope this helps,

    Scott

  • @Rudi,

    >>>>>>>> What about Azure? I have sites that are hosted on azure, what can I do?

    ASP.NET sites running on Azure should also apply the workaround (which is to enable customErrors).

    Hope this helps,

    Scott

  • @Greg,

    >>>>>>> You mention this affects "all types" of ASP.NET applications, but do not list an important category. Doe this vulnerability affect ASP.NET Web Services applications? Thx.

    I'd recommend applying the workaround and enable (best to err on the side of caution even if we aren't sure). Note that .asmx and .svc endpoints do not use the ASP.NET section - which is ok. The section though will be able to handle other URLs that might come to ASP.NET and helps ensure everything is sealed no matter what.

    Hope this helps,

    Scott

  • @Sharad,

    >>>>>>> you specifically mention SharePoint 2010. Does it imply that vulnerability doesn't apply to SharePoint 2007?

    We are still working on identifying that. I know the SharePoint team is investigating it hard right now.

    Until then I'd recommend applying the workaround just to be safe regardless.

    Hope this helps,

    Scott

  • Does this apply to all authentication? Are only 'Anonymous' website at risk? For instance, if my application requires 'windows authentication' is it safe?

  • Is it OK to have IIS 6 handle general HTTP 404 errors for non-ASP.NET resources? (and applying the workaround in Web.config, for requests being sent from IIS 6 to ASP.NET due to specific file extensions etc.)

  • a silly question perhaps: are applications developed in classic ASP affected as well?

  • The vbs script just searches the inetpub folders/web sites within. However, some of the sites that are within these folders are configured within IIS, but are not started. Is the script just being over zealous, or could these web.config files be obtained through this issue as well?

    Cheers

    Ian

  • It's not clear to me what nefariousness this vulnerability enables:
    - If web.config contains no sensitive information (and indeed contains very little beyond the obvious defaults in the first place), what else could an attacker do that makes this vulnerability relevant?
    - Is this vulnerability relevant even when viewstate is not enabled? Does using session-state matter?
    - The application we're developing and does not use any ASP.NET controls (all html generation is done via custom handlers). Is this vulnerability still relevant then?

  • Can someone help me usnderstand this problem.I can not see How customising the Error response message prevent this attack.

    If I am the attacker, I construct a valid request, send the request, and get a valid response (200).
    I can then manipulate the valid requests padding, send it and get an either an error (500) or reponse (200).

    This way, I am still able to determine if the padding was correclty guessed?

  • Unless the workaround has been applied, would there still be benefit in encrypting the web.config file since the attacker can get hold of the key and then decrypt it anyway? Can the web.config be encrypted with another key?

  • I want to ask few questions:

    - What if I have enable SSL to my site? Is it safe?
    - What about Windows Azure? Is it safe?
    - What about WCF services uses ASP.Net Authentication?

    We wish you best health to solve this problem.

  • @Scott, very good summary. I have one more question. You wrote that under ASP.NET 3.5 SP1 and ASP.NET 4.0 one can make a random delay in the Error.aspx to enhance security.
    I was thinking about this: if I put the same code (that makes the random delay) to the Application_Error method, that should have the same effect, and it works with all ASP.NET versions, right?

  • Guess, this should really go to DNN security, but the exploit as per video was on DotNetNuke (DNN) (which, BTW, is part of the Web Platform Installer download provided by Microsoft). Don't you think DNN should do away with storing machine keys in web.config? After all, they've come a long way since IBuySpy.

  • Hey, how about an error page that always takes the same amount of time. Something like:

    1. Time of incoming request
    2. Do processing
    3. Stuffs gone wrong
    4. sleep( 1s - (time now - (1) ) )

    If anyone can come up with a neat implementation of this then it might be a handy bit of code to have in error pages generally...

  • I have not seen any mention of HTTPS sites. Would they affected as well?

  • Scott, does this vulnerability affects FormsAuthentication cookies as well?

  • Your workaround works for me with files, but if I have a bad directory, like mysite.com/FakeDirectory I still get a 404. Is there something else that needs to be done or could errors produced in that way not be used for the exploit?

  • Is ADFS / WIF affected by this issue ?

  • You mentioned in your FAQ that SharePoint 2010 was affected. Is SharePoint 2007 affected as well?

  • What about sites that have ASP.NET installed, but aren't taking advantage of it? For example in shared hosting where ASP.NET, classic ASP and PHP are all enabled on a particular site, if only classic PHP is being used, is that site still vulnerable since ASP.NET is installed? Do we need to add a web.config file to a site that is otherwise purely PHP just because ASP.NET is enabled for that site in IIS?

  • This may be my lack of understanding of the problem. But after applying the workaround, requesting pagethatdoesnotexist.aspx behaves as expected and directs to my static page, but if i ask for /dirthatdoesnotexist i still get the canned 404 page. is that OK or is that a problem too?

  • I'm confused by the specifics of the solution here. I've implemented the customErrors fix but now the url has 'aspxerrorpath' appended to it. Won't an attacker be able to distinguish between a 404 and 500 by using the response returned with the aspxerrorpath?

  • Is there vulnerability in other applications that we should be patching as well? For us we are interested in BizTalk 2006 (BAMPortal and Human Workflow Services), and SQL Server Reporting Services. Should we apply the workaround to these sites as well or will there be specific guidance from the product teams in question?

  • Scott
    If we just have intranet websites; what is your recommendation? Do they need to be patched as well?
    Would like to confirm since the way I understand it; this is relevant for externally facing websites
    Thanks

  • RE: "Your workaround works for me with files, but if I have a bad directory, like mysite.com/FakeDirectory I still get a 404. Is there something else that needs to be done or could errors produced in that way not be used for the exploit?"

    Does defining a 404 error page with the redirect *pointing to the SAME page as the defaultRedirect page* avoid the side channel attack, even though it contradicts the advice to not define per-status error pages? (Doing so does avoid the scenario described above)

  • Would this be an issue with Exchange 2007 if we are using OWA? I am certain we would not have even edited the web.config file, so there isn't any sensitive information in it.

  • Mr. Valasek, if I understand correctly what Scott has said, your proposed server-side fix will NOT block the POET attacks, because it returns Error 404 (according to the description on your codeplex site). Returning the same error code all the time is NOT enough. The point is that you must return NO error (Status Code 200) for ALL requests, and also add the random timing to make sure that the server. ANY error code response will provide useful hint information to the blackhats (read: @$$hats).

    Scott's Web.config CustomErrors ResponseRewrite trick displays a custom error page that returns Status Code 200, and adds the random timing.

  • So, a thought... all those people that exposed their Windows Home Server (WHS) boxes through the internet are running ASP.Net applications against a Windows Server 2003 / IIS site. Shouldn't those machines be just as vulnerable? Is Microsoft going to push a fix to those boxen as well?

  • Joel@MMCC: If I understood correctly, the problem is in distinguishing between 404 and 500 errors. Scott's solution returns 200, but it's by design of ASP.NET. My module also adds the random delay, it's just not explicitly mentioned in description.

    It's easy to change the module to return 200 to all requests, but I don't see any point in it - the difference between correct content and error message (regardless of its form) would be always distinguishable.

    Maybe I'm wrong, I'm working with incomplete information, like nearly everyone :-/ In such case, contact me at michal (dot) valasek (at) altairis (dot) cz.

  • I have applied customerrors on my sharepoint site but cannot, despite following the instructions on the Ms site get a genuine custom response in place. Am I right in thinking that this is less important than putting the custom errors in place?

  • This may be a silly question, but...

    For one of my IIS sites that's not running any ASP.NET code, I have "No Application Defined" and Execute permissions set to "None" and the vulnerability scanner is detecting a vulnerable configuration found. Is it really vulnerable? Or can I safely ignore this message?

  • @joel
    I don't think thats correct. The attack relies on leaking the question "is the padding on this block of cipher text valid?" as I understand it anything that prevents that question from being answered will work.

    @scott
    The fix should include using a per application IV as this seems to be the best way to prevent a decryption oracle from being used in "CBC-R" mode to encrypt data.

  • Sorry if this is too nit-picky but: .NET 3.5SP1 is installed on our production web server but the web applications are using the 2.0.50727 CLR, not the .NET 4 run-time. Should we implement the v1-3.5 version of the fix or the v3.5SP1-4.0 version?

  • RE: "Does defining a 404 error page with the redirect *pointing to the SAME page as the defaultRedirect page* avoid the side channel attack, even though it contradicts the advice to not define per-status error pages? (Doing so does avoid the scenario described above)"

    Correcting myself - it doesn't avoid the above scenario. Defining a 404 error page with the redirect pointing to the SAME page as the defaultRedirect page at in *machine.config* does seem to work for me though. Apologies.

  • @joel@MMCC
    Thanks for your comment. I can see that as long as your response code is always 200, things should be ok. I can also see that you mention something of a random delay in the response when an error has accured. I think a problem with that will be that a successful request will always respond quicker than one which causes an "exception" and is combined with a random delay. So in theory, this way, if the response from the oracle is a bit slow, then assume you got the padding wrong.

    @Scott - Re-written my cusom error handler to always respond with a 200 - I am not sure this will help with a timing attack... :-(

    @team-microsoft - Hope you can get this fixed soon.

  • We are using WIF to protect our application. Is that enough to prevent the issue?

  • Dear Scott,

    In IIS 6.0, Website Properties, there is a Custom Error tab and inside has a lot of custom errors start from 400 to 502. Do I need to map all these errors to my default custom error page?

  • How can i remove the WebResource.axd and ScriptResource.axd from an IIS6 Webserver?

    The disabling of this handlers should disable downloading the web.config file, even if the poet-attack itself would not be affected, right? Or would this be a workaround against the attack, too?

  • I personally believe that the POET demonstration in fact uncovers two vulnerabilities:
    1. The padding-oracle-exploit used to determine the Asp.Net machineKey
    2. The fact that tampering authentication cookies allow an attacker to impersonate requests, using a fake identity.

    Although this can bee seen as a workaround for the first problem, the second problem can be solved in many situations.
    If an Asp.Net application uses sessionstate (enableSessionState=true) it's not to hard to develop a generic httpModule that signs the authentication-cookie using it's (encrypted)value and a serverside (random and session specific) salt during EndRequest, end verifies the signature during each BeginRequest. The signature itself can be written to an extra cookie. The use of a serverside (random and session-specific) salt makes the signature and the authcookie safe for tampering.

    I believe that this is actually a better workaround than the customErrors workaround, because with a few simple changes POET (and such tools) can still differentiate between valid and invalid requests.

  • We have .NET 3.5SP1 installed on our web servers but the applications are configured to use the .NET 2.0 CLR, not the 4.0 run-time. Should we implement the v1.0-3.5 fix or the 3.5SP1-4.0 fix?

  • If Web.configs are, by default, encrypted by the machine key, and this exploit either (a) gives the attacker the machine key, or (b) gives the attacker a way to decrypt anything encrypted with the machine key (What I think is actually the case), doesn't this sort of mean that the web.config file is going to divulge information even if it's encrypted?

    What are our options then for protecting the web.config?

  • I made the change indicated in this blog and it still shows "404 Not Found" instead of my custom error.html page. What could I be doing wrong? I triple-checked everything and followed the directions precisely.

    I found a blog that said that if the custom error page is less than 512MB that IE 7+ will not render the page. My custom error page is 3KB so I'm not sure how that is relevant.

    Ideas anyone?

  • @SPJen,
    I think the file size is 512bytes not 512MB.

  • How can we be notified when this patch is available? I would like to patch my servers as soon as possible after the update is released.

  • Would using customErrors="RemoteOnly" instead of customErrors="On" work as well (to allow developers to more easily reproduce and diagnose errors when logged onto the same machine? Or does customErrors explicitly have to be "On"?

  • I have httpErrors, will they work ?

    something like this

    &lt;httpErrors errorMode=&quot;Custom&quot;&gt;
    &lt;remove statusCode=&quot;401&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;403&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;404&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;405&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;406&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;412&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;500&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;501&quot; subStatusCode=&quot;-1&quot;/&gt;
    &lt;remove statusCode=&quot;502&quot; subStatusCode=&quot;-1&quot;/&gt;

    &lt;error statusCode=&quot;401&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=401&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;403&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=403&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;404&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=404&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;405&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=405&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;406&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=406&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;412&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=412&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;500&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=500&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;501&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=501&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;error statusCode=&quot;502&quot; subStatusCode=&quot;-1&quot; prefixLanguageFilePath=&quot;&quot; path=&quot;/Error.aspx?code=502&quot; responseMode=&quot;ExecuteURL&quot; /&gt;
    &lt;/httpErrors&gt;

  • one more thing, I have handling errors in Application_Error of Global.asax. And I tried the url with invalid key and I got 200 status with an blank error page(not from httpErrors). I hope its safe ?

  • @EvereQ,

    >>>>>>>>If say quickly: I am not sure that code from workaround you publish (both C# / VB version) can made some significant barrier for hacker! So if possible, check my comments and let me know what you think about it? Adding only say 13 "fixed" delays can't protect us I think :) I hope Windows Update hotfix will contain some better protection :)

    Timing attacks can be challenging to get right. We think the workaround we recommended helps against this.

    Hope this helps,

    Scott

  • @Gilles,

    >>>>>>>> Does this apply to all authentication? Are only 'Anonymous' website at risk? For instance, if my application requires 'windows authentication' is it safe?

    We recommend applying the workaround right now for all sites regardless of authentication type.

    Thanks,

    Scott

  • @GS,

    >>>>>>>>> Is it OK to have IIS 6 handle general HTTP 404 errors for non-ASP.NET resources? (and applying the workaround in Web.config, for requests being sent from IIS 6 to ASP.NET due to specific file extensions etc.)

    Yes - the customErrors workaround we've recommended is only necessary for ASP.NET resources.

    Hope this helps,

    Scott

  • @Pieter,

    >>>>>>>> a silly question perhaps: are applications developed in classic ASP affected as well?

    Classic ASP applications are not affected.

    Hope this helps,

    Scott

  • @Ians555,

    >>>>>>> The vbs script just searches the inetpub folders/web sites within. However, some of the sites that are within these folders are configured within IIS, but are not started. Is the script just being over zealous, or could these web.config files be obtained through this issue as well?

    The script is being a little overzealous. If the sites are not running then they are safe.

    Hope this helps,

    Scott

  • @Eamon,

    >>>>>>>> It's not clear to me what nefariousness this vulnerability enables:

    >>>>>>>> - If web.config contains no sensitive information (and indeed contains very little beyond the obvious defaults in the first place), what else could an attacker do that makes this vulnerability relevant?

    In general you never want to expose anything to a hacker

    >>>>>>>> - Is this vulnerability relevant even when viewstate is not enabled? Does using session-state matter?

    This issue does not require ViewState

    >>>>>>>> - The application we're developing and does not use any ASP.NET controls (all html generation is done via custom handlers). Is this vulnerability still relevant then?

    Yes - per the above guidance we recommend installing this workaround for all ASP.NET applications.

    Hope this helps,

    Scott

  • @david,

    >>>>>>>> Can someone help me usnderstand this problem.I can not see How customising the Error response message prevent this attack. If I am the attacker, I construct a valid request, send the request, and get a valid response (200). I can then manipulate the valid requests padding, send it and get an either an error (500) or reponse (200). This way, I am still able to determine if the padding was correclty guessed?

    The issue reported is an oracle padding attack - which is a little complicated to explain (a lot of math is involved). This blog post explains things more: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

    Hope this helps,

    Scott

  • @Neil,

    >>>>>>>>>> Unless the workaround has been applied, would there still be benefit in encrypting the web.config file since the attacker can get hold of the key and then decrypt it anyway? Can the web.config be encrypted with another key?

    Encrypting web.config files is handled using an OS encryption key which is different than ASP.NET ones. Even if the web.config file is retrieved a remote attacker would not be able to read it.

    Hope this helps,

    Scott

  • @LockeVN,

    >>>>>>> I want to ask few questions:

    - What if I have enable SSL to my site? Is it safe?
    - What about Windows Azure? Is it safe?
    - What about WCF services uses ASP.Net Authentication?

    >>>>>>> We wish you best health to solve this problem.

    The guidance we are giving is to install the workaround regardless of the app type and where it is deployed. We will then have a patch that fixes the underlying issue.

    Thanks,

    Scott

  • @Venemo,

    >>>>>>> I was thinking about this: if I put the same code (that makes the random delay) to the Application_Error method, that should have the same effect, and it works with all ASP.NET versions, right?

    Yes - you could use that same code to add a random delay using Application_Error.

    Hope this helps,

    Scott

  • @MikeRamsey,

    >>>>>>>> I have not seen any mention of HTTPS sites. Would they affected as well?

    We are recommending right now that all sites implement the workaround to better protect themselves.

    Thanks,

    Scott

  • @Diego,

    >>>>>>> Scott, does this vulnerability affects FormsAuthentication cookies as well?

    We have not had any attacks reported against FormsAuth tickets.

    Hope this helps,

    Scott

  • @Mike,

    >>>>>>>> Your workaround works for me with files, but if I have a bad directory, like mysite.com/FakeDirectory I still get a 404. Is there something else that needs to be done or could errors produced in that way not be used for the exploit?

    The error handling workaround is only needed for ASP.NET resources. Static content (like directories) are handled by IIS - and do not divulge oracle padding information.

    Hope this helps,

    Scott

  • @Vijay,

    >>>>>>>>> Is ADFS / WIF affected by this issue ?

    At this time we are recommending that all ASP.NET applications implement the workaround.

    Thanks,

    Scott

  • @BrianS,

    >>>>>>> You mentioned in your FAQ that SharePoint 2010 was affected. Is SharePoint 2007 affected as well?

    We are still investigating this. At this time I'd recommend implementing the workaround just to be safe.

    Thanks,

    Scott

  • @Scott Issacs,

    >>>>>>> What about sites that have ASP.NET installed, but aren't taking advantage of it? For example in shared hosting where ASP.NET, classic ASP and PHP are all enabled on a particular site, if only classic PHP is being used, is that site still vulnerable since ASP.NET is installed? Do we need to add a web.config file to a site that is otherwise purely PHP just because ASP.NET is enabled for that site in IIS?

    Just to be safe I would. If you want to disable ASP.NET for that site you can also follow the steps in this blog post: http://blogs.iis.net/ruslany/archive/2010/09/22/asp-net-vulnerability-affecting-php-sites-on-iis.aspx

    Hope this helps,

    Scott

  • @chris,

    >>>>>>> This may be my lack of understanding of the problem. But after applying the workaround, requesting pagethatdoesnotexist.aspx behaves as expected and directs to my static page, but if i ask for /dirthatdoesnotexist i still get the canned 404 page. is that OK or is that a problem too?

    That is ok. That URL isn't being handled by ASP.NET but rather IIS - and does not disclose any information.

    Hope this helps,

    Scott

  • @Roger,

    >>>>>>>>> I'm confused by the specifics of the solution here. I've implemented the customErrors fix but now the url has 'aspxerrorpath' appended to it. Won't an attacker be able to distinguish between a 404 and 500 by using the response returned with the aspxerrorpath?

    The key thing is to make sure that you always send people to the same error path (in which case the return code doesn't matter). Make sure to follow the steps in my workaround article and only use defaultRedirect to help block it.

    Thanks,

    Scott

  • @Matt,

    >>>>>>>> Is there vulnerability in other applications that we should be patching as well? For us we are interested in BizTalk 2006 (BAMPortal and Human Workflow Services), and SQL Server Reporting Services. Should we apply the workaround to these sites as well or will there be specific guidance from the product teams in question?

    If the sites are external facing (meaning on the Internet) then I'd recommend applying the workaround to them as well.

    Thanks,

    Scott

  • @aspnetdev,

    >>>>>>>> If we just have intranet websites; what is your recommendation? Do they need to be patched as well? Would like to confirm since the way I understand it; this is relevant for externally facing websites

    The most pressing need is to apply this workaround for external facing sites - where anonymous hackers can attack you. Within your Intranet it probably depends on the trust level you have with your employees and the general logging you do on your servers.

    Hope this helps,

    Scott

  • @AnonCoder,

    >>>>>>>> RE: "Your workaround works for me with files, but if I have a bad directory, like mysite.com/FakeDirectory I still get a 404. Is there something else that needs to be done or could errors produced in that way not be used for the exploit?"

    Directories are handled by IIS instead of ASP.NET. So the 404 you get back from a directory is ok.

    Hope this helps,

    Scott

  • @Daryl,

    >>>>>>>>> Would this be an issue with Exchange 2007 if we are using OWA? I am certain we would not have even edited the web.config file, so there isn't any sensitive information in it.

    It could be. I'm not sure of the exact guidance the Exchange team is providing right now on it. If you can implement the workaround that would be the safest step.

    Sorry!

    Scott

  • @Marc,

    >>>>>>>>>> So, a thought... all those people that exposed their Windows Home Server (WHS) boxes through the internet are running ASP.Net applications against a Windows Server 2003 / IIS site. Shouldn't those machines be just as vulnerable? Is Microsoft going to push a fix to those boxen as well?

    We will be releasing a patch on Windows Update - so all machines will get it.

    Hope this helps,

    Scott

  • @J Rubinstein,

    >>>>>>>> I have applied customerrors on my sharepoint site but cannot, despite following the instructions on the Ms site get a genuine custom response in place. Am I right in thinking that this is less important than putting the custom errors in place?

    If you send me email (scottgu@microsoft.com) I can have someone help you with this.

    Thanks,

    Scott

  • @Matt,

    >>>>>>>> For one of my IIS sites that's not running any ASP.NET code, I have "No Application Defined" and Execute permissions set to "None" and the vulnerability scanner is detecting a vulnerable configuration found. Is it really vulnerable? Or can I safely ignore this message?

    Here are some steps you can take to disable ASP.NET from an application: http://blogs.iis.net/ruslany/archive/2010/09/22/asp-net-vulnerability-affecting-php-sites-on-iis.aspx

    Hope this helps,

    Scott

  • @Dan,

    >>>>>>>>> Sorry if this is too nit-picky but: .NET 3.5SP1 is installed on our production web server but the web applications are using the 2.0.50727 CLR, not the .NET 4 run-time. Should we implement the v1-3.5 version of the fix or the v3.5SP1-4.0 version?

    You should implement the .NET 3.5 SP1 instructions.

    Hope this helps,

    Scott

  • @Roberto,

    >>>>>>>> We are using WIF to protect our application. Is that enough to prevent the issue?

    No - I'd recommend implementing the workaround we have published.

    Thanks,

    Scott

  • @chwi,

    >>>>>>>> How can i remove the WebResource.axd and ScriptResource.axd from an IIS6 Webserver?

    If you aren't using these handlers, then you can remove them by add elements with the section of your application's web.config file.

    Hope this helps,

    Scott

  • @DanW,

    >>>>>>>> We have .NET 3.5SP1 installed on our web servers but the applications are configured to use the .NET 2.0 CLR, not the 4.0 run-time. Should we implement the v1.0-3.5 fix or the 3.5SP1-4.0 fix?

    You should implement the .NET 3.5 SP1 version.

    Thanks,

    Scott

  • @i8beef,

    >>>>>>>>> If Web.configs are, by default, encrypted by the machine key, and this exploit either (a) gives the attacker the machine key, or (b) gives the attacker a way to decrypt anything encrypted with the machine key (What I think is actually the case), doesn't this sort of mean that the web.config file is going to divulge information even if it's encrypted? What are our options then for protecting the web.config?

    Web.config file encryption (using the tutorials I used above) uses the OS encryption services, which does not use a machine key stored in a config file. So even if the web.config file is retrieved it can't be read.

    Hope this helps,

    Scott

  • @SPJen,

    >>>>>>>>> I made the change indicated in this blog and it still shows "404 Not Found" instead of my custom error.html page. What could I be doing wrong? I triple-checked everything and followed the directions precisely

    If you can send me an email (scottgu@microsoft.com) we can help you get this right.

    Thanks,

    Scott

  • @Geiger,

    >>>>>>>> How can we be notified when this patch is available? I would like to patch my servers as soon as possible after the update is released.

    We'll send out an advisory when a patch is available. I'll also blog about it as soon as they are available.

    Hope this helps,

    Scott

  • @Jon,

    >>>>>>>> Would using customErrors="RemoteOnly" instead of customErrors="On" work as well (to allow developers to more easily reproduce and diagnose errors when logged onto the same machine? Or does customErrors explicitly have to be "On"?

    Yes - you can use either RemoteOnly or On - both work fine.

    Thanks,

    Scott

  • @Mack,

    >>>>>>>> After applying the patch I just get a 404 page when navigating to the page that does not exist? Is there something I missed?

    Did you navigate to a static file or directory? If so it will be served by IIS and not send back a custom error page.

    Thanks,

    Scott

  • @xmen,

    >>>>>>>> one more thing, I have handling errors in Application_Error of Global.asax. And I tried the url with invalid key and I got 200 status with an blank error page(not from httpErrors). I hope its safe ?

    I'm not entirely sure of what your configuration looks like. Can you post more details?

    Thanks,

    Scott

  • @Andy Maclean,

    Can you send me email (scottgu@microsoft.com) about your question? I can then help answer your question.

    Thanks,

    Scott

  • I have a requirement to handle a 404 code. what if I handle specfic code for 404 and for the other I return a wrong error code. For example if I get 500 error I return 404. Would that work?

    Regards,
    Saad

  • @Saad

    If you have 2 different pages for 500 and 400 then you are vulnerable.

    Consider the scenario where the hackers attacks the main vulnerable competent the webresource.axd with the following URLs

    yoursite.com/webresource.axd?d=myhack

    yoursite.com/webresource.axd?

    They return 2 different error codes. A 500 and 404. And a hacker will know that the first URL case will return a 500 and the second a 404. I expect that it is not a huge leap to work out that the error pages have been reversed and to attack based on this.

    For now just have 1 error page.

  • For this, I posted a full project with error handling and mailing yourself an email with errors.
    http://weblogs.asp.net/nannettethacker/archive/2010/09/21/asp-net-security-vulnerability-error-handling-project.aspx


    It is a 3-part post with a ZIP of the project included.

    One of the comments I received on my post was:
    You never do thread.sleep in asp.net. You will end up running out of server threads. Should be implemented async-ly.

  • Would catching the 500 exceptions (for FormatException and CryptographicException) in global.asax and then sending (*identical) 404 responses. Allowing that the 404 should still have random timing, this would make the invalid and valid states return identical http responses, how could you tell the difference? I've checked with fiddler, this should in theory work. Then you get to keep all the other non-vuln'd error pages.

    Would this work Scott?

    I still would like to know the attack vector for downloading the web.config, not the actual step by step instructions, but I don't see how this vulnerability should allow download of a .config file unless you can circumnavigate the forbidden handler (that's isapi right?) is this going to be one patch or two?

    *identical to a real 404

  • Hi,

    I wrote an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. I don't have any official releases out there yet because I could use some help testing it and/or coding it. I haven't seen the exploit tools so I haven't been able to verify it's effectiveness yet. Right now, it's got 2 main features relating to the padding oracle expoit:

    1) It stores FormsAuthenticationCookie and FormsAuthenticationTicket information on the server at the time the ticket is issued. It uses this information to strengthen ticket validation... a LOT. Even if your machine keys are compromised, nobody can create a FormsAuthenticationCookie that will pass validation.
    2) It detects & prevents certain known padding oracle attack vectors (CryptographicException's on .axd requests) -- returns 200 codes where 404's or 500's are expected & introduces delays to the response.

    sws.codeplex.com / www.sholo.net for more info

    -Scott

  • I'm working on asp.net for 2 years and still working in. I've shared this page to my all friends and colleagues.

  • Hi,
    1-Does it matter if you are using IIS 6.x or 7.x? Our production server uses IIS 6 but our dev machines are using various versions of IIS 7.

    2-We dont use the customErrors section, however, we capture all errors in our global.asax and redirect to a single error page that always has the same message regardless of the actual error. Is this equivalent protection, or do we need to do the customerror section too?

  • The site I'm working on now uses Forms authentication and if I login then try to get to a page that is on the root of the site that does not exist I get sent to the generic error page just fine.

    If I am not logged in, I see the standard IIS7 404 message.

    Is there anything I can do?

    Thanks,
    Jen

  • Hi Scott,

    I'm using vs2008 sp1 and have implemented only the changes in the web.config mentioned below, but not the sleep delay logic.







    I have my own custom error page which is already present in my site. is this fine or i should implement the sleep delay logic in my error page.

    Thanks
    Ramesh G

Comments have been disabled for this content.