Let iRules Work Around that ASP.NET Padding Oracle Attack

Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool.  The attack itself preys on a bug in ASP.NET’s AES implementation, which you can read about over here at threatpost.  So what’s the reward for a successful attack?  It’s not going to allow the attacker to execute code or elevate rights, but it does all the attacker to read potentially sensitive data that could then be further used to compromise the system.

The mitigation for this attack is to obfuscate the server errors by ensuring that no matter what the error, the same error page is returned.  This can be done manually in your configurations by addressing the section of the web.config file, or, you can mitigate centrally at your web farm’s front door with (of course!) an iRule.

 

Published Sep 20, 2010
Version 1.0
application delivery
dev
devops
iRules
oracle
partner
security
us

Was this article helpful?

3 Comments

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 20, 2010
    @Bertand This solution applies pre and post-3.5SP1 unless I'm reading the advisory wrong.

     

     

    @Matt I only implemented the specified workaround, not any additional recommendations. You are correct in that you could add a delay, but would be better without the variable, and would look more like this:

     

     

    after [expr [expr { int(10000 * rand()) }] +2000]
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 22, 2010
    You could use a for loop as a delay, just randomize the upper limit on a base of x number of milliseconds. That figure will change based on platform, so you'll just need to run some tests to find the sweet spot.