Microsoft published Security Advisory 2659883 to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various Web platforms industry-wide.
This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.
Sites that only serve static content or disallow dynamic content types listed in the mitigation factors below are not vulnerable.
The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.
Andrew Storms, director of security operations for nCircle said: “This isn’t your average DoS attack because it doesn’t take a botnet or a lot of coordination to take a web server down. Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it. In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline.”
Dave Forstrom, director, Microsoft Trustworthy Computing said: “We are not aware of any attacks using this vulnerability, which affects all supported versions of .NET Framework, however we recommend customers use the mitigation and workaround described in the Advisory to help protect sites against this new method to exploit hash tables.”