Frequently Asked Questions about the ASP.NET Security Vulnerability
page 6 of 8
by Scott Guthrie
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 28941/ 68

What does the <customErrors> workaround do?

A workaround you can use to protect your application from the public exploit is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error response - regardless of the error encountered on the server.  By mapping all error pages to a single error page, you can make it more difficult for an attacker using the public exploit to distinguish between the different types of errors that occur on a server. I covered how to implement the workaround in this blog post.

If you are using .NET Framework version 3.5 SP1 or 4.0, the workaround provides further protection by also helping to mitigate against potential timing analysis attacks.  The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page.  These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error.

Can I configure a custom 404 error page response and a default redirect for all other errors?

No. By doing this you are still letting an attacker draw distinction between a 404 and other errors. Homogenizing errors is a crucial component to mitigating this attack.  Note that this is a workaround until a security patch is available to fix the underlying product vulnerability. This workaround will not be required once we release a security update.

Am I vulnerable if I have my own custom error module?

If the responses that are sent out from your custom logging module do not let the client distinguish between error responses either through its content or time that it takes to serve out, then such a module is an adequate replacement for the customErrors workaround. These responses include both the entire HTTP response and the HTTP error code. If any of the above is not true at all times, then this is not sufficient.  Instead you should send out the same error response for all errors until the security update is available to fix the underlying vulnerability.

Should I be concerned about this vulnerability if I don’t store any sensitive information in my viewstate?

Yes you should.  There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file.  You should apply the workaround to block the padding oracle attack in its initial stage of the attack.  The security update will fix this vulnerability.

What are best practices to secure my data within the web.config file?

It is always a best practice to encrypt sensitive configuration data within web.config files. That way if your web.config file is ever exposed, attackers can not use its contents maliciously.  This MSDN documentation describes how to encrypt web.config file configuration sections: http://msdn.microsoft.com/en-us/library/zhhddkxy(VS.80).aspx.  This tutorial also provides more samples of how to encrypt web.config file contents: http://www.4guysfromrolla.com/articles/021506-1.aspx

Why am I getting an error running the vulnerability detection .vbs script?

In my initial blog post I pointed at a .vbs script that you can run against a server to identify any applications within it that need to have their <customErrors> sections updated as a workaround against the publicly disclosed exploit. 

On IIS 7, the script requires you to have the IIS 6 management compatibility feature installed to be able to use this script.  To enable this, run Add/Remove Programs on workstations and Add Web Server Role Services on server operating systems and select the IIS 6.0 Management Compatibility feature under the “Internet Information Services” feature area. If this feature is already installed, please ensure that you are running the script with Administrator privileges.


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-05-25 9:58:37 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search