Microsoft late Friday issued a security advisory confirming the existence of an unpatched vulnerability that affects web applications built on ASP.NET.
A flaw in the way the ASP.NET web application development framework implements AES encryption could allow an attacker to decrypt and tamper with sensitive data, Kevin Brown, software development engineer, Microsoft Security Response Center, wrote in a blog post Friday. The vulnerability was disclosed last week by security researchers at the ekoparty hacking conference in Buenos Aires, Argentina. Microsoft said it is not currently aware of any attacks using the flaw.
“The vulnerability is caused by ASP.NET providing web clients details in error messages when decrypting certain ciphertext,” Microsoft’s advisory states. “This is known as a ‘padding oracle’ attack.”
In the field of cryptography, the term oracle refers to a system that provides hints about the contents of encrypted information, Brown said. The vulnerability does not relate to or affect any Oracle database products.
At the ekoparty hacking conference, security researchers Juliano Rizzo and Thai Dong demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).
Johnathan Norman, director of security research at IT security and compliance automation provider Alert Logic, told SCMagazineUS.com on Monday that with a little work, attackers could replicate the behavior of the exploit tool for malicious purposes.
“We suspect we will be seeing attacks in the wild by this afternoon or maybe tonight,” he said.
The impact of the flaw varies depending on the ASP.NET web application being attacked, Microsoft’s Brown said. For example, if the targeted ASP.Net application stores sensitive passwords, database connection strings or other sensitive information in the ViewState object, this data could be compromised. The ViewState is a technique in the ASP.NET framework that allows state values to be preserved across page postbacks.
“The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack,” Brown said.
Applications using ASP.NET version 3.5 Service Pack 1 or above could be exploited by an attacker to expose the contents of an arbitrary file within the application.
The impact of the vulnerability is far-reaching since ASP.NET applications are so widespread and easy to deploy, Norman said. The flaw may be particularly risky to sites that take credit cards, because they often store some sensitive information temporarily in a database that is connected to the web server. An attacker could potentially access this sensitive database using passwords found in configuration files on the server.
As a workaround, Microsoft suggested using the customErrors feature of ASP.NET to configure applications to return the same error page regardless of the error that occurred on the server, thus preventing an attacker from receiving the information needed to carry out an attack.
Microsoft is currently working on a permanent fix, which it may issue as part of its regular Patch Tuesday release process or as an out-of-cycle update, the software giant said in its advisory.
With no patch available, enterprises are currently scrambling to implement the workaround, Alert Logic’s Norman said.