Microsoft has released an advisory alerting its users about a critical vulnerability in ASP.NET (CVE-2011-3414). An attacker could potentially bring down a server (Denial of Service) with specially crafted requests. Given that all versions of ASP.NET are vulnerable, its exposure is pretty big. This advisory was in response to a public advisory presented in the 28th Chaos Communication Congress.
The root cause of the problem lies in hash collisions. Most web applications use hashes to store user applied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.
An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.
Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.
Because of its severity, users are also advised to immediately update their systems before they usher in the new year.
Leave a reply