IMPORTANT: ASP.NET Security Issue – Workaround & FAQ Available
Via Andrew Duthie… (and so important that I’m re-posting in its entirety.)
Late last week, Scott Guthrie posted a notice of a vulnerability that was discovered in ASP.NET that can lead to any ASP.NET-based application being compromised. The vulnerability in question is a form of padded oracle relating to cryptographic implementation. Attackers may be able to use the vulnerability to decrypt encrypted data sent to the client (such as encrypted ViewState), and may also enable the attacker to download files within the scope of the application, including web.config.
Scott’s post details the recommended workaround until a fully-tested official patch is available (once the patch has been released, the workaround will no longer be necessary), so I recommend that anyone supporting an ASP.NET application go read Scott’s post and implement the workaround as soon as possible.
Essentially, the workaround involves enabling Custom Errors, and ensuring that all errors return exactly the same error page (examples of both static and dynamic pages are offered…dynamic is preferable if possible). In addition to the details in the original post, Scott has posted an FAQ with additional information on the vulnerability and workaround.
Some additional resources:
- Microsoft Security Advisory on the issue
- ASP.NET Forum for questions/discussion of the vulnerability
As you can imagine, we’re taking this issue very seriously, and we ask all our customers to do the same. While we understand that implementing the workaround may restrict functionality that your application relies on, we want to minimize the impact on customers while the patch is being worked on.
Dmitry Lyalin discuss this vulnerability in our upcoming episode of the Connected Show (#37), which is in editing currently.
[Update 9-25-2010:] Scott Guthrie has just posted some ADDITIONAL workaround measures you should apply until a patch is available. Please read THIS POST too. If you have already applied the steps above, you will still want to apply the steps in this new post as an additive measure.