locked
Alleged Padding Oracle vulnerability in ASP.NET RRS feed

  • Question

  • User-897750585 posted

    Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails, and ASP.NET?

    http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

    As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS.

    One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However, as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity. THe original report presented at Woot 2010 doesn't even mention ASP.NET. Of course, various other platforms may be vulnerable, e.g. Python, which have not yet been tested because they are not very numerous/popular.

    Thanks! :)

     

     

    Friday, September 17, 2010 11:29 AM

Answers

  • User-1660457439 posted

    The MSRC advisory for this issue is available at http://www.microsoft.com/technet/security/advisory/2416728.mspx.  Please refer to that article for more information.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 17, 2010 10:59 PM

All replies

  • User-1660457439 posted

    The MSRC advisory for this issue is available at http://www.microsoft.com/technet/security/advisory/2416728.mspx.  Please refer to that article for more information.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 17, 2010 10:59 PM
  • User-897750585 posted

    Thanks for the link to the Microsoft's official security advisory for this padding oracle exploit, which is still under investigation.

    It would be useful to see a more detailed response from MS. The's a lot of misleading and unreliable information about this in articles cirulating online, and some clarity from a trusted source is needed. There are thousands of articles make gross exaggerations, e.g. that this "completely breaks ASP.NET's security".

    What would be especially useful from Microsoft is some clarity on the following points.

    • Which features are affected?
      E.g. Just web form authentication, and nothing else is affected.
    • How severe is the risk?
      E.g. It's a risk if you store sensitive data in the cookie, which is bad practice anyway.
      E.g. It's a risk if you allow admin access via web forms authentication (I can't confirm whether this is the case but that has been suggested by some commentators) and if admin access does grant the ability on your website to do things you don't want malicious users to do.
    • What steps can be taken right now to mitigate the risk?
      E.g. avoiding the risk factors listed above, which are generally not good practice anyway.
    Saturday, September 18, 2010 4:09 AM
  • User-1660457439 posted

    The MSRC advisory contains answers to those questions.  Additionally, you might be interested in http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx, which explains the technical side behind this a little bit more.

    The MSRC advisory also contains a large section regarding steps application developers can take to mitigate this vulnerability.  It includes a sample custom error page that you can drop into your application and a Web.config snippet demonstrating how to hook it up.

    Saturday, September 18, 2010 4:17 AM
  • User-897750585 posted

    CONCLUSION

    I have found Microsoft's official response to the padding oracle exploit in ASP.NET on the Microsoft official security response blog. This is accompanied by a blog post about the extent of the risk and how to detect and protect against it. (Thanks to Nazim's IIS security blog where I found the information.)

    This confirms that there is only a risk if the web application displays details of errors. Obviously all production web applications should display a generic user-friendly error page regardless of the error. Displaying details of errors exposes an application to many other potential risks, not just this padding oracle attack.

    Saturday, September 18, 2010 4:26 AM
  • User-619846739 posted

    Tim, it's more impacting than that. Just having the status code available makes you vulnerable.  So, the important part is ensuring that all error pages (404, 500, etc) are directed to the same completely generic page, that doesn't even reveal what the status code is. 

    Saturday, September 18, 2010 10:14 AM
  • User168493707 posted

    I've tried to compile all the pertinent, up-to-date info here:

    http://leonardwoody.com/2010/09/18/security-vulnerability-in-asp-net/ 

    Saturday, September 18, 2010 3:26 PM