Microsoft Security Advisory (2659883) - Vulnerability in ASP.NET Could Allow Denial of Service


Today I received this “Security Alert” from Microsoft via email and thought to share this with you. If you are using ASP.Net in your server, read this post to know about it to keep your server in good health from this DoS Attack. Sharing the email as it is in this post.

 

Microsoft is aware of detailed information that has been published describing a new method to exploit hash tables. Attacks targeting this type of vulnerability are generically known as hash collision attacks. Attacks such as these are not specific to Microsoft technologies and affect other web service software providers. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.

 

 

What is the purpose of this alert?

This alert is to notify you that Microsoft has released Security Advisory 2659883 - Vulnerability in ASP.NET Could Allow Denial of Service - on December 28, 2011.

 

Summary of the Alert

Microsoft is aware of detailed information that has been published describing a new method to exploit hash tables. Attacks targeting this type of vulnerability are generically known as hash collision attacks. Attacks such as these are not specific to Microsoft technologies and affect other web service software providers. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages. Sites that only serve static content or disallow dynamic content types listed in the mitigation factors below are not vulnerable.

 

The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability but is not aware of any active attacks.

 

Details of a workaround to help protect sites against this vulnerability are provided in Security Advisory 2659883. Individual implementations for sites using ASP.NET will vary and Microsoft strongly suggests customers evaluate the impact of the workaround for applicability to their implementations.

 

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

 

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors

  1. By default, Internet Information Server is not enabled on any supported Windows operating system.
  2. Sites that disallow "application/x-www-form-urlencoded" or "multipart/form-data" HTTP content types are not vulnerable.

Recommendations

Review Security Advisory 2659883 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ), and links to additional resources.

 

Customers who believe they are affected can contact Customer Service and Support. Contact CSS in North America for help with security update issues or viruses at no charge using the PC Safety line (866)PCSAFETY. International customers can contact Customer Service and Support by using any method found at this location: http://www.microsoft.com/security/worldwide.aspx.

 

Additional Resources


If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Twitter, Facebook, Google+ and LinkedIn. I would love to hear your thoughts and opinions on my articles directly. Also, don't forget to share your views and/or feedback in the comment section below.

0 comments

 
© 2008-2016 Kunal-Chowdhury.com - Microsoft Technology Blog for developers and consumers | Designed by Kunal Chowdhury
Back to top