UPDATED Microsoft on Thursday plans to release an emergency out-of-band update to address a vulnerability in ASP.NET that could allow an attacker to consume all of the resources on a vulnerable server with a single specially designed HTTP request. The vulnerability affects a wide range of Web platforms are vulnerable to this attack, and Microsoft officials said they’re releasing the patch now because they’re expecting exploit code to be released in the near future.
The vulnerability was discussed at the Chaos Communications Congress conference in Germany earlier this week, although some form of the problem has been known for several years. In addition to ASP.NET, the flaw affects a number of other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.
Microsoft pushed the patch out for the vulnerability on Thursday afternoon, and recommended that customers with vulnerable installations deploy the patch immediately.
“This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,” Microsoft’s Susha Can and Jonathan Ness said in a blog post about the problem.
“The root cause of the vulnerability is a computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values. Therefore, any ASP.NET website that accepts requests having HTTP content types application/x-www-form-urlencoded or multipart/form-data are likely to be vulnerable. This includes the default configuration of IIS when ASP.NET is enabled and also the majority of real-world ASP.NET websites.”
In its advisory on the ASP.NET issue, Microsoft suggests a workaround for the problem. The workarounds decreases the maximum size of a request that the server will accept, which lowers the likelihood of the server being susceptible for the attack.
“This configuration value can be applied globally to all ASP.NET sites on a server by adding the entry to root web.config or applicationhost.config. Alternatively, this configuration can be restricted to a particular site or application by adding it to a web.config file for the particular site or application,” the advisory says.
The security researchers who published details of the vulnerability, Alexander Klink and Julian Walde, also discuss workarounds and mitigations for the problem in their paper.