Security Bulletins

Vulnerability in ASP.NET

Background

On September 17, 2010, Microsoft released Security Advisory 2416728 which stated Microsoft was investigating public reports of a vulnerability in ASP.NET. On September 28, 2010 Microsoft released an out-of-band (outside the normal patch schedule) bulletin, Security Bulletin MS10-070 and associated patch to address the issue.

Impact

An attacker that successfully exploits this vulnerability against an affected version of ASP.NET is able to view data encrypted by the server, including state data. If the server is running Microsoft .NET Framework 3.5 Service Pack 1 or higher the attacker may also be able to retrieve any file within the application. This would include configuration files that may store sensitive attributes such as web.config. Through the information disclosure attack, an attacker may have enough information to compromise the integrity of the web application or the host system.

Platforms Affected

The following versions of the .NET Framework are affected when installed on the following system platforms. Please review Security Bulletin MS10-070 for a complete list of affected combinations.

  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 4.0
  • Windows XP
  • Windows Vista
  • Windows 2003
  • Windows 2008
  • Windows 2008 R2
  • Windows 2008 R2 Server Core

Note: Windows 2008 Server Core is not affected, but Windows 2008 R2 Server Core is affected.

Local Observations

Microsoft is aware of active attacks exploiting this vulnerability. Researchers have demonstrated and released proof of concept code that will exploit this vulnerability and can be used to compromise ASP.NET applications. Depending on the nature and configuration of the exploited web application, the host server may be compromised.

UISO Recommendations

Contrary to Microsoft's Important severity rating, UISO recommends web server administrators apply the patch contained in