11

As reported by Slashdot, MS issued an update to ASP.NET to fix the hash collision attack today. (Listed as "Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414" on the linked Technet page.)

The problem is that the POST data are converted into a hash table that uses a known hashing algorithm. And if an attacker uses this by crafting a request that contains lots of collisions, he can easily cause a Denial of Service.

Does anyone know how exactly does that update fix the issue?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
svick
  • 236,525
  • 50
  • 385
  • 514

1 Answers1

2

The update is not a complete fix, but rather a workaround. It limits the number of POST parameters accepted.

Alexander Klink
  • 44
  • 1
  • 3
    How did you find that out? Do you have some source? – svick Dec 29 '11 at 22:09
  • Guys that presented this vulnerability gave this information. – Piotr Perak Dec 30 '11 at 23:53
  • 2
    @Peri and where did they do that? – svick Dec 31 '11 at 01:32
  • Here are the slides http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html and here is the video http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/28c3-4680-en-effective_dos_attacks_against_web_application_platforms_h264.mp4 – Piotr Perak Dec 31 '11 at 10:24
  • The will be a update, but for now we can use the solution proposed here http://stackoverflow.com/questions/8696718/validate-request-before-application-beginrequest – sergiogarciadev Jan 02 '12 at 06:48
  • Better to use [this solution](http://stackoverflow.com/a/8684879/4830) if you need to workaround the limitation: `` to your appSettings in web.config. – Michiel van Oosterhout Jan 12 '12 at 07:25