There seems to be a fairly serious attack being exploited in the wild that targets vulnerable ASP.Net web applications, so far there is a temporary fix but no official announcement on when a patch will be issued. The next scheduled patches should be pushed out on October 12th.<\/p>\n
If you had set up your server to the \u2018best standards\u2019 you shouldn\u2019t be vulnerable to this anyway as the data in your config files should be encrypted, but honestly..how many people really take such precautions?<\/p>\n
<\/p>\n
As the exploit is being used in the wild, I\u2019d say not many.<\/p>\n
\nAttackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.
\nThe vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called \u201ccryptographic padding attack,\u201d which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.
\nNow, Microsoft security pros say they are seeing \u201climited attacks\u201d in the wild and warned that they can be used to read and tamper with a system\u2019s most sensitive configuration files.
\n\u201cThere is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,\u201d Microsoft\u2019s Scott Guthrie wrote on Monday night. \u201cYou should apply the workaround to block the padding oracle attack in its initial stage of the attack.\u201d (He went on to say sensitive data within web.config files should also be encrypted.)<\/p><\/blockquote>\nIt\u2019s actually another fairly complex and interesting example of a side channel attack. The last time we reported on this kind of attack was when Website Auto-complete Leaked Data Even Over Encrypted Link.<\/p>\n
This is certainly not a straight forward attack and I wouldn\u2019t expect to be seeing widespread hacks using this technique, but skilled attackers could leverage this when doing focused attacks on certain organisations or web properties.<\/p>\n
\nMicrosoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents.
\nBut by bombarding a vulnerable server with large amounts of corrupted data and then carefully analyzing the error messages that result, attackers can deduce the key used to encrypt the files. The side-channel attack can be used to convert virtually any file of the attacker\u2019s choosing.
\nThe temporary fix involves reconfiguring applications so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors A script to identify the oracles that needlessly reveal important cryptographic clues is here.
\nThai Duong, one of the researchers who disclosed the vulnerability last week, said here that simply turning off custom error messages was not enough to ward off exploits because attackers can still measure the different amounts of time required for certain errors to be returned.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"There seems to be a fairly serious attack being exploited in the wild that targets vulnerable ASP.Net web applications, so far there is a temporary fix but no official announcement…<\/p>\n","protected":false},"author":439,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[134,138,136,24,137,135,133],"class_list":["post-947","post","type-post","status-publish","format-standard","hentry","category-m","tag-aspnet","tag-attack","tag-cryptographic","tag-microsoft","tag-padding","tag-vulnerability","tag-warns"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-fh","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/439"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=947"}],"version-history":[{"count":1,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/947\/revisions"}],"predecessor-version":[{"id":953,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/947\/revisions\/953"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}