ASP.NET Padding Oracle Fix and Risks

As most SharePoint, security and .NET professionals will know by now, a hotfix for the Padding Oracle vulnerability in ASP.NET was released out-of-band on Tuesday. A live TechNet Webcast with a Q&A was held with Dave Forstrom, Director, Response Communications and Dustin Childs, Senior Security Manager. I’ve put together these rough notes from that webcast, as I think this information needs to reach a wider audience.

This is intended to be a (very) rough guide to the webcast content, and I make no claims about the accuracy – I’ve purely attempted to repeat a small portion of what was discussed on the webcast – some of which was covered very quickly. If any of this is of particular interest, I suggest watching the webcast. I’m primarily interested in motivating people to apply the patch while repeating some of the considerations that should be… considered before doing so.

  • Microsoft expects exploits of un-patched systems to increase over the next 30 days.
  • While this is categorised as an “important” update, it has a critical impact. Attackers can potentially do the following:
    • Retrieve files with no user interaction:
      • Private certificates.
      • Encryption keys.
      • Credentials to other systems and sensitive information.
    • Tamper with data to cause the server to take unexpected actions, potentially leading to code execution.
    • They said the, “vulnerability rating is only a starting point”. In my opinion, they were strongly hinting that this should be considered a critical issue.
  • Microsoft recommends patching all internet-facing systems with ASP.NET web applications ASAP.
    • The patch should be tested for specific applications/solutions before deployment.
    • They noted that internal systems may be vulnerable to internal attacks, but they were attempting to assign very broad priorities and suggested applying the patch internally when it is released through Windows Update, noting that some organisations may need to apply the patches internally sooner.
  • All installed versions of the .NET Framework need to be updated.
    • When systems run multiple versions of the .NET Framework side-by-side, they recommend installing the hotfixes for the lowest version numbers first, increasing sequentially (.NET 1.1, .NET 2, .NET 3.5.). See the bulletin for more information.
    • Note: these are not cumulative updates.
    • The patch can be rolled back. All updates for the .NET Framework can be uninstalled.
  • This fix supersedes the workarounds. If workarounds are in place, they should be retracted.
  • The patches require a reboot.
  • All FBA users will be logged out as part of the update.
  • Microsoft recommended updating the machine key after the update is applied.
    • There’s more information on the Machine Key on MSDN, if needed (my note).
  • ISA/IAG/TMG/UAG servers are not vulnerable unless the servers also use ASP.NET to host websites.

I’ve now tested this patch in our development environments and nothing obvious is broken, but my sites are not heavily customised, so please make sure to test your solutions with this patch before deployment. At the same time, keep in mind that this really is quite critical, so this should be done with some urgency, particularly for any sites that are exposed to the internet.

Leave a Reply

Your email address will not be published.