ASP.NET DoS Vulnerability{1}


by Mike Y
Microsoft’s ASP.NET web development platform had its vulnerability, CVE-2011-3414, patched. The “vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers,” according to Suha Can and Jonathan Ness, who are Microsoft Security Response Center engineers. An anonymous user, HybrisDisaster, “published a proof-of-concept (PoC) exploit for the ASP.NET vulnerability on GitHub.”

This is relevant to the class topic because many people use ASP.NET to develop their websites. I feel that Microsoft has a good response time as a out-of-band patch was released relatively quickly. The article stated that the “a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 — 110 seconds.” Good coding practices should make these types of attacks less likely, even though good coding practices can’t stop exploits.

ASP.NET has about 21% of the market share, according to w3techs.com. The vulnerability can affect many sites since so many people use it. Although Microsoft responds quickly, I’m sure many people do not update their sites using ASP.NET as frequently as they should. With the vulnerabilities, hackers like HybrisDisaster can exploit them to take down sites or spread viruses.

 

Constantin, L. (2012, Janu 10). Attack code published for serious asp.net dos vulnerability. PCWorld, Retrieved from http://www.pcworld.com/businesscenter/article/247731/attack_code_published_for_serious_aspnet_dos_vulnerability.html

 

Usage statistics and market share of asp.net for websites. (n.d.). Retrieved from http://w3techs.com/technologies/details/pl-aspnet/all/all