New Mitigation Instructions for 0-Day ASP.NET Vulnerability

Microsoft has published new mitigation instructions for an unpatched ASP.NET vulnerability, which involves using the UrlScan IIS module to block certain requests.

The vulnerability, identified as CVE-2010-3332, was disclosed earlier this month by security researchers Juliano Rizzo and Thai Duong at the ekoparty Security Conference in Argentina.

It allows performing cryptographic attacks known as "oracle padding" against ASP.NET applications and can lead to the compromise of encrypted ViewState data.

Microsoft published a security advisory shortly after the public disclosure, which included a workaround based on using the customErrors feature to serve the same page for all error types.

This prevents attackers from observing differences in the errors returned by the application when served with special encrypted strings, which is an important component of the attack.

Earlier this week, the vendor announced that the vulnerability is already being exploited in the wild and updated its advisory to include custom logging modules as an alternative workaround, if used properly.

However, while the customErrors approach makes the attackers' job significantly harder, it's not completely bulletproof. So, yesterday the company announced an additional protection method to go hand in hand with it.

It involves installing the UrlScan IIS module, which is relatively straight forward and non-time consuming, and adding a special rule that blocks requests with application error path in the querystring.

This should be as easy as modifying the UrlScan.ini, adding aspxerrorpath= under the [DenyQueryStringSequences] section and restarting IIS.

"If you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.

"Our team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability.

"[...] Once we release the security update, you will no longer need to implement any workaround steps," Scott Guthrie, the head of development for ASP.NET, said on his blog.