Vulnerability in .NET AES puts ASP.NET Web Sites at Risk

added by j.monty
9/14/2010 7:45:52 AM


ASP.NET web applications that leverage Forms Authentication, ASP.NET Membership Providers, ASP.NET Role Providers, and/or ViewState encryption are vulnerable to data exposure and potentially tampering. This vulnerability can lead to the .NET MachineKey being discovered by attackers. This post briefly details the issue and provides a simple temporary mitigation technique.


9/14/2010 7:44:21 AM
I read this article and realized that it would be very hard to do something colossally damaging with this attack unless you had a very long sequence of security flaws in your application.

What does concern me however is that there isn't a single mention of this vulnerability being disclosed to Microsoft. From what's implied in the article the vulnerability itself will be announced at that hacker conference into the wild without Microsoft being notified beforehand.

9/14/2010 9:28:18 AM
My understanding is that Microsoft has been aware of the AES vulnerability for awhile (since the original Oracle Padding vulnerably was discovered years ago), there was just no way to easily exploit it.

As far as damaging a site - you are correct, it depends on how the site is programmed - and that's where risk assessment comes in. The user name, and sometimes the roles are stuffed into the Forms Authentication Ticket which live in the cookie (in the UserData field). I suspect an attacker could elevate privileges or just change their UserName on a site that uses Forms Auth by decrypting the cookie, modifying the roles and then re-encrypting it with the Machine Key.

This was old recommend practice from MS - to put roles in the UserData field of the Forms Auth Ticket: