cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
JRahm
Community Manager
Community Manager

Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool.  The attack itself preys on a bug in ASP.NET’s AES implementation, which you can read about over here at threatpost.  So what’s the reward for a successful attack?  It’s not going to allow the attacker to execute code or elevate rights, but it does all the attacker to read potentially sensitive data that could then be further used to compromise the system.

The mitigation for this attack is to obfuscate the server errors by ensuring that no matter what the error, the same error page is returned.  This can be done manually in your configurations by addressing the section of the web.config file, or, you can mitigate centrally at your web farm’s front door with (of course!) an iRule.

 

Comments
JRahm
Community Manager
Community Manager
@Bertand This solution applies pre and post-3.5SP1 unless I'm reading the advisory wrong.

 

 

@Matt I only implemented the specified workaround, not any additional recommendations. You are correct in that you could add a delay, but would be better without the variable, and would look more like this:

 

 

after [expr [expr { int(10000 * rand()) }] +2000]
JRahm
Community Manager
Community Manager
Thanks @Bertrand. Also, thanks to Scott Guthrie over at weblogs.asp.net/.../...security-vulnerability.aspx for his thoughtful post and comment replies.
JRahm
Community Manager
Community Manager
You could use a for loop as a delay, just randomize the upper limit on a base of x number of milliseconds. That figure will change based on platform, so you'll just need to run some tests to find the sweet spot.
Version history
Last update:
‎20-Sep-2010 09:34
Updated by:
Contributors