Flaw in web app frameworks pushes Microsoft to patch ASP.net promptly

The way many web app frameworks handle hashes makes them vulnerable to a denial-of-service attack, researchers revealed

Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.NET platform just hours later.

Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation -- the hash function -- performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with 'hash collisions,' where two or more different pieces of data generate the same hash.

A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander "alech" Klink of German security consultancy n.runs and Julian "zeri" Wälde of Darmstadt Technical University.

An attacker with knowledge of how a web application calculates hashes can send it a batch of data sure to result in many collisions, "making it possible to exhaust hours of CPU time using a single HTTP request," Klink and Wälde warned in an advisory on Wednesday.

PHP 5, Java and ASP.NET are all vulnerable to the attack, the two said in their advisory and in a related presentation at the Chaos Communication Congress in Berlin.

Microsoft published a security advisory later Wednesday, acknowledging that a vulnerability in ASP.NET could allow a denial of service attack, and suggesting a work-around for the problem. Shortly afterwards the company announced that it will break from its regular monthly security update schedule to release a patch for the vulnerability on Thursday at around 10 a.m. Pacific Time.

Klink and Wälde said in their security advisory that the Java application server Apache Tomcat had already been patched "to limit the number of request parameters using a configuration parameter," stopping an attacker from causing too many hash collisions at once. "The default value of 10,000 should provide sufficient protection," they wrote. The update can be found in Tomcat versions 7.0.23 and 6.0.35 onwards.

Web application platform developers had plenty of warning of the problem, according to Klink and Wälde: The attack was described as long ago as 2003, they said, in the Usenix Security paper "Denial of Service via Algorithmic Complexity Attacks" by Scott A. Crosby and Dan S. Wallach.

Changes were made to Perl that year to randomize the way hashes are calculated, preventing attackers from calculating collisions ahead of time, and similar changes were subsequently made to CRuby from version 1.9, they said.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?