Earlier this week I posted about an ASP.NET Vulnerability, and followed this up with another blog post that covers some Frequently Asked Questions about it.
We are actively working on releasing a security update that fix the issues, and our teams have been working around the clock to develop and test a fix that is ready for broad distribution across all Windows platforms via Windows Update. I’ll post details about this once it is available.
Revised Workaround and Additional URLScan Step
In my first blog post I covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.
This additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.
Install and Enable IIS URLScan with a Custom Rule
If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:
- x86 Version
- x64 Version
It takes less than a minute to install on your server.
Add an Addition URL Scan Rule
Once URLScan is installed, please open and modify the UrlScan.ini file in this location:
- %windir%\system32\inetsrv\urlscan\UrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences] aspxerrorpath=
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.
Summary
If you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.
Our team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.
Once we release the security update, you will no longer need to implement any workaround steps. You can learn more about this vulnerability and the workaround from:
- Microsoft Security Advisory 2416728 (Updated 9/24)
- Understanding the ASP.NET Vulnerability
- My Initial Blog Post
- My Frequently Asked Questions Post
- SharePoint Team Blog Post
- Microsoft Security Response Center Blog Post
- Microsoft Security Response Center Update Post
Please post specific questions about the vulnerability in this forum on the www.asp.net web-site.
Thanks,
Scott