MA-251.092010: MyCERT Alert - Vulnerability in ASP.NET Could Allow Information Disclose

  • 20 Sep 2010
  • Alert
1.0 Introduction

Microsoft is investigating a new public report vulnerability effecting ASP.NET (CVE-2010-3332). At this point of time, this vulnerability is still under investigation and there is no patch available. However, users can still apply the workarounds listed in section 4.0 if they must use ASP.NET.

2.0 Impact

An attacker who successfully exploits these vulnerabilities could read data, such as the View State, which was encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.[1]

3.0 Affected Products

Below is the list of vulnerable products:

4.0 Recommendation

4.1 Enable ASP.NET custom errors, and map all error codes to the same error page.

Determine if you already have a web.config file in the root folder of each ASP.NET web application. You must have rights to create a file in the target directory to implement this workaround.

If the ASP.NET application does not have a web.config file:

On .NET Framework 3.5 RTM and earlier

1.Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents: