Microsoft ASP Vulnerability Disclosed

A vulnerability was revealed in the ASP.Net application encryption configuarion which can allow an attacker to decrypt and tamper with sensitive data. The vulnerability involves an unpatched information disclosure hole in the ASP.NET Web application framework. Microsoft has released a security advisory to confirm the vulnerability.
How it Works:
If the target ASP.NET application stores sensitive information (like database connection strings or  passwords) in the ViewState object; this data could be compromised.
If the ASP .Net application is running ASP.Net 3.5 SP1 or above, the attacker could use the encryption vulnerability to get  the contents of a file within the ASP.Net application. The disclosure demonstrated that by using this vulnerabilty technique to retrieve the contents of web.config, any file within the ASP.Net application can be compromised. If the worker process has access those elements it will return  the information back to the attacker.
Microsoft said it was unaware of attacks that try to use the vulnerabilities or of customer impact at this time. However, Microsoft indicates that a tool is now available to automatically find and exploit this vulnerability.
From that perspective we can conclude that the threat is real.


What happens when the vulnerability is exploited? Well, according to researchers   an attacker can easily view states, decrypt cookies, membership password,   form authentication tickets,  user data, plus anything else that is encrypted using the ASP.NET framework’s API. In otherwords, having the API can open the system to many other problems.
The vulnerabilities exploited affect the framework used by about 25 percent of Web sites on the Web. The total impact of the attack will depend on the applications installed on the server. These include  a minor information disclosure issues to a total system compromise. For its part, Microsoft has posted workarounds and suggested mitigations in its security advisory.

For more information see:   Microsoft

Comments are closed.
Skip to toolbar