Flaw in web app frameworks pushes Microsoft to patch ASP.net promptly
The way many web app frameworks handle hashes makes them vulnerable to a denial-of-service attack, researchers revealed
IDG News Service - Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.NET platform just hours later.
Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation -- the hash function -- performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with 'hash collisions,' where two or more different pieces of data generate the same hash.
A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander "alech" Klink of German security consultancy n.runs and Julian "zeri" Wlde of Darmstadt Technical University.
An attacker with knowledge of how a web application calculates hashes can send it a batch of data sure to result in many collisions, "making it possible to exhaust hours of CPU time using a single HTTP request," Klink and Wlde warned in an advisory on Wednesday.
PHP 5, Java and ASP.NET are all vulnerable to the attack, the two said in their advisory and in a related presentation at the Chaos Communication Congress in Berlin.
Microsoft published a security advisory later Wednesday, acknowledging that a vulnerability in ASP.NET could allow a denial of service attack, and suggesting a work-around for the problem. Shortly afterwards the company announced that it will break from its regular monthly security update schedule to release a patch for the vulnerability on Thursday at around 10 a.m. Pacific Time.
Klink and Wlde said in their security advisory that the Java application server Apache Tomcat had already been patched "to limit the number of request parameters using a configuration parameter," stopping an attacker from causing too many hash collisions at once. "The default value of 10,000 should provide sufficient protection," they wrote. The update can be found in Tomcat versions 7.0.23 and 6.0.35 onwards.
Web application platform developers had plenty of warning of the problem, according to Klink and Wlde: The attack was described as long ago as 2003, they said, in the Usenix Security paper "Denial of Service via Algorithmic Complexity Attacks" by Scott A. Crosby and Dan S. Wallach.
Changes were made to Perl that year to randomize the way hashes are calculated, preventing attackers from calculating collisions ahead of time, and similar changes were subsequently made to CRuby from version 1.9, they said.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at email@example.com.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts