Microsoft ships emergency .NET fix to thwart hash table collision attacks

Microsoft ships emergency .NET fix to thwart hash table collision attacks

Summary: Microsoft .NET is one of several programming languages vulnerable to elevation of privilege attacks.

SHARE:
TOPICS: Security, Microsoft
7

While you were out making the most of your "use it or lose it" vacation time, Microsoft shipped a emergency security update to fix several serious security problems in the Microsoft .NET Framework.

The MS11-100 fixes a total of four security vulnerabilities (one publicly disclosed) and Microsoft is urging all Windows users to treat this as a "critical" issue because of the risk of privilege escalation attacks if an unauthenticated attacker sends a specially crafted web request to the target site.

follow Ryan Naraine on twitter

An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

The problem is not unique to Microsoft.  As explained by German security outfit n.runs AG (.pdf), some programming language implementations do not sufficiently randomize their hash functions or provide means to limit key collision attacks. This can be be leveraged by an unauthenticated attacker to cause a denial-of-service (DoS) condition.

More details in this oCERT advisory:

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

In addition to Microsoft .NET, the following programming languages are affected:

  • Java, all versions
  • JRuby <= 1.6.5
  • PHP <= 5.3.8, <= 5.4.0RC3
  • Python, all versions
  • Rubinius, all versions
  • Ruby <= 1.8.7-p356
  • Apache Geronimo, all versions
  • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
  • Oracle Glassfish <= 3.1.1
  • Jetty, all versions
  • Plone, all versions
  • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2
  • V8 JavaScript Engine, all versions

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • more reasons to use FOSS

    because the design was right from the start!
    The Linux Geek
    • RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks

      @The Linux Geek Did you actually read the article

      In addition to Microsoft .NET, the following programming languages are affected:

      Java, all versions
      JRuby <= 1.6.5
      PHP <= 5.3.8, <= 5.4.0RC3
      Python, all versions
      Rubinius, all versions
      Ruby <= 1.8.7-p356
      Apache Geronimo, all versions
      Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
      Oracle Glassfish <= 3.1.1
      Jetty, all versions
      Plone, all versions
      Rack <= 1.3.5, <= 1.2.4, <= 1.1.2
      V8 JavaScript Engine, all versions
      John J. Jordan
    • FOSS?

      @The Linux Geek

      Can you please provide a little clarity here. How does using FOSS help with this?
      bmonsterman
    • RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks

      @The Linux Geek You really are just a dumb f, aren't you?
      BFD
  • Perl was fixed in 2003 when this vulnerability was first discovered.

    Full disclosure.
    Rabid Howler Monkey
  • That was last week

    You're a little late, Ryan.

    Doh
    ScorpioBlue
  • RE: Microsoft ships emergency .NET fix to thwart hash table collision attacks

    this vuln has been peddled on crime forums as long as I can remember. GJ M$ 'rushing' out the emergency patch.
    Derpsaucex