Microsoft releases MS11-100 for ASP.NET DoS attack
Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin.
Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work.
We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.
The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany.
This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.
Overall the bulletin addresses four issues: one critical, two important (one of them the DoS issue). We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.
Resources:
- Advisory by oCERT – lists all affected platforms and technologies.
- Advisory by nruns – technical detail.
- Presentation by Alexander Klink and Julian W?¤lde at 28c3.
- Microsoft SRD blog post on the workarounds available.
- SRD blog post with implementation details and improved Snort rules.
- KB2659883 – original Microsoft advisory.
Author: Wolfgang Kandek, CTO, Qualys.