Vulnerability in ASP.NET
On September 17, 2010, Microsoft released Security Advisory 2416728 which stated Microsoft was investigating public reports of a vulnerability in ASP.NET. On September 28, 2010 Microsoft released an out-of-band (outside the normal patch schedule) bulletin, Security Bulletin MS10-070 and associated patch to address the issue.
An attacker that successfully exploits this vulnerability against an affected version of ASP.NET is able to view data encrypted by the server, including state data. If the server is running Microsoft .NET Framework 3.5 Service Pack 1 or higher the attacker may also be able to retrieve any file within the application. This would include configuration files that may store sensitive attributes such as web.config. Through the information disclosure attack, an attacker may have enough information to compromise the integrity of the web application or the host system.
The following versions of the .NET Framework are affected when installed on the following system platforms. Please review Security Bulletin MS10-070 for a complete list of affected combinations.
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Windows XP
- Windows Vista
- Windows 2003
- Windows 2008
- Windows 2008 R2
- Windows 2008 R2 Server Core
Note: Windows 2008 Server Core is not affected, but Windows 2008 R2 Server Core is affected.
Microsoft is aware of active attacks exploiting this vulnerability. Researchers have demonstrated and released proof of concept code that will exploit this vulnerability and can be used to compromise ASP.NET applications. Depending on the nature and configuration of the exploited web application, the host server may be compromised.
Contrary to Microsoft's Important severity rating, UISO recommends web server administrators apply the patch contained in Security Bulletin MS10-070 as soon as possible to all affected web servers running ASP.NET applications. Initially this patch was only available through a manual download from Microsoft. A traditional patch was released through Automatic Updates on September 30, 2010.
Microsoft has published workarounds which make it more difficult for an attacker to determine whether an attack was successful by obscuring the error message returned to the client. These workarounds do not mitigate the underlying risk. The workaround methods are fully documented in Security Bulletin MS10-070 and including using URLScan or Request Filtering to block requests with "aspxerrorpath=" set and configuring ASP.NET to use a uniform custom error page.