IMPORTANT: Security hole in ASP.NET and how to secure your installation

Monday, September 20, 2010 by Administrator

This weekend a security flaw has been identified in Microsoft ASP.NET - the framework that Umbraco is based on. This will affect any Microsoft ASP.NET based application including any Umbraco installation as well as any other CMS that builds upon Microsoft ASP.NET.

This means that you have to take action to secure your site!

We've produced a guide that describes how to patch your installation and we've also produced an Umbraco package that will try to patch your installation automatically and if it can't it'll guide you how. You can find the package in the package repository under Developer tools and it's called "ASP.NET Security Vulnerability Patch":

vulnerabilitypatch

When you run the package, it'll show you a status on whether or not your website is vulnerable. If it is there's a big "Fix this problem" button to press:

Capture

We're seeding this information via the update checker, our mailing list and our twitter accounts but please help us spread the word. This speechbubble (yes, we'll need to work on the css on long messages!) will be shown to all administrators that log in to Umbraco over the next 14 days. It'll show even if you've patched your installation - unfortunately we don't have any way to prevent this as the patch isn't related to the Umbraco core:

speechbubble

The Panic Fund

We were able to make, test and distribute this patch because of our Panic Fund. In the HQ we have an account which makes it possible to book all HQ staff on core development for a week. We can use this fund in cases of emergencies like the this one. Despite the frustrating circumstances, it's just yet another example of why I'm proud of how we've managed to build the Umbraco HQ and why it makes the whole project sustainable.

Now stop reading and start patching!

For more details visit the project page for this patch.

For in-depth information on the ASP.NET security issue, visit Scott Guthries blog.

48 comment(s) for “IMPORTANT: Security hole in ASP.NET and how to secure your installation”

  1. Gravatar ImageLee Kelleher Says:

    Excellent quick turnaround, from hearing about the security issue and getting a package/patch released!

    Great work by the HQ/core team!

  2. Gravatar ImageChris Houston Says:

    Hi Niels,

    Great news, thanks to the HQ team for getting this patch out so quickly!

    Cheers,

    Chris

  3. Gravatar ImageG. Rahman Says:

    Maybe I'm misunderstanding, but based on Scott Guthrie's blog entry, it seems like the recommended steps you have in the linked-to guide (which I'm assuming outline the same things the package above would check), wouldn't effectively mask the vulnerability. Scott G. says that 400 and 500 errors need to return the same thing so that no distinction can be made between them. Umbraco has a mechanism that bypasses the standard customError mechanism: the "errors" section of the config/umbracoSettings.config file.

    I tried applying these settings to a v3 and a v4.5 site and neither of them had the desired effect. Adding the "customErrors" section to web.config in the described manner will cause 500 errors to redirect to the desired page; however, 404 errors go to a customized page that can only be specified in the umbracoSettings file. Since they go to different places, they reveal different results to the attacker and allow the attacker to surmise the information they need.

    Is there a way around this?

  4. Gravatar ImageTom Says:

    My reading of the Guthrie post left the same question raised by G.Rahman above.

  5. Gravatar ImageTom Says:

    To return the same error page for 404 and 500 errors, I set the customErrors page to the published location of an error page node in my umbraco install (/error in my case because I use directory Urls). You also need to set the node ID for the error page node in the following location: /config/umbracoSettings.config under the error404 section. This should cause umbraco to return the same 404 page that .net will return for a 500 error, correct?

  6. Gravatar ImageHartvig Says:

    An update is coming tomorrow that'll handle 404s as well. We've just been in touch with Microsoft and they recommend that both error 500 and 404 uses the same error page.

    We're testing tonight and will be distributing the update Tuesday morning (GMT+1).

    Sorry for the inconvenience!

  7. Gravatar ImageMurray Says:

    Hi
    Could you also document exactly what the package patch does, I want to ensure I can undo it when Microsoft patch the framework. and I'd like to roll it out on lots of sites, using the package installer may not be the fastest way to do it.

    Keep up the good work.
    Murray.

  8. Gravatar ImagePer Ploug Krogslund Says:

    @Murray, the developer PDF outlines the patch in 3 simple steps, get it from the project page here:

    http://our.umbraco.org/projects/developer-tools/aspnet-security-vulnerability-patch

  9. Gravatar ImageRoss Allan Says:

    Just noticed something in the instruction documents and wanted to double check if it's a typo or not.

    In both 'For Developers.pdf' and 'Guide_1.1.pdf' there are instructions on updating the web.config file, which state that you should update your to:



    should that read



    (poetpatcher not poetpathcer)

  10. Gravatar ImageRoss Allan Says:

    Sorry, that should read..


    In both 'For Developers.pdf' and 'Guide_1.1.pdf' there are instructions on updating the web.config file, which state that you should update your customErrors to:

    umbraco/plugins/poetpathcer/CustomError.aspx

    should that read:

    umbraco/plugins/poetpatcher/CustomError.aspx

    (poetpatcher not poetpathcer ?)

  11. Gravatar Imagedrew Says:

    i noticed the spelling mistake too, fixing the spelling mistake and doing all the the 3 steps in the instructions still doesnt work

  12. Gravatar ImageJeavon Leopold Says:

    Fantastic work, a slight issue though as with the patch implemented a 404 status code is not returned for deleted or renamed pages so search engines will not de-list the pages. Is there any reason why CustomError.aspx should not always return a 404 status code?

  13. Gravatar ImageRoss Allan Says:

    I've implemented this fix on a couple of staging sites now, preparing to put the fix onto the live sites.

    When I go to:

    YOURDOMAIN.com/umbraco/plugins/poetpatcher/CustomError.aspx

    All I see is the standard error page:

    Server Error in '/' Application.
    The resource cannot be found.
    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

    Requested URL: /umbraco/plugins/poetpatcher/CustomError.aspx

  14. Gravatar ImageJames Knowles Says:

    Guys you should remove the patch as it stands as it is possible not fix for the security issue if it does not handle 404 errors and 500 errors differently.

    "Can I configure a custom 404 error page response and a default redirect for all other errors?
    No. By doing this you are still letting an attacker draw distinction between a 404 and other errors. Homogenizing errors is a crucial component to mitigating this attack. Note that this is a workaround until a security patch is available to fix the underlying product vulnerability. This workaround will not be required once we release a security update.
    "

    http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx

  15. Gravatar ImageJeavon Leopold Says:

    I understand that we can't send a different status code for 500 or 404, but what about sending 404 status code for both 404 and 500 errors until the MS Patch is released?

  16. Gravatar ImageHartvig Says:

    @Jeavon: Unfortunately this is not a bug but how it should work until MS have the patch ready. In order to make it harder to utilitize the vulnerability we have to send status 200 codes no matter if it's a 404 or 500. It sucks, but luckily it'll change once MS got a patch ready.

    @James: v1.1 of the patch that was released this morning solves this already.

  17. Gravatar ImageJames Knowles Says:

    My apologies you have already handled the 404 error in the next release you have put out.

    James

  18. Gravatar ImageJeavon Leopold Says:

    From a reply to a comment by ScottGu @ http://weblogs.asp.net/scottgu/

    "One of the ways this attack works is that looks for differentiation between 404s and 500 errors. It can use this differentiation to try out potential keys (typically over tens of thousands of requests). Always returning the same HTTP code and sending them to the same place is one way to help block it. Note that one way to solve it would be to always return a 404 error page - in which case your search scenario should still be ok."

    Therefore it would seem to me to be a better solution to return a 404 for all issues until the full patch is available, any thoughts?

  19. Gravatar ImageNeil Fenwick Says:

    All,

    A potential warning: Is seems that the recommended Microsoft workaround is not necessarily guaranteed to protect you.

    If an attacker is bent on exploiting your site, they could just interpret seeing your error page as an "invalid" response from the encryption padding oracle, and hence they get an "answer" to a purposefully crafted invalid post anyway. Then doing it enough times is potentially still going to give them the answer, its just the interpretation of the behaviour of your application to invalid encryption padding. Whether that "error" page is a YSOD, or the same standard message.

    The fundamental problem is with using a block-level cipher to encrypt client-side responses because they are vulnerable to padding attacks.

    Wouldn't want to be in MS's shoes here. I imagine they're faced with potentially double-encrypting now... (just speculating though - there's prob people plenty smarter than me working on it)

    Good posts here:
    http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx

    and here:

    http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/

  20. Gravatar ImagePervez Choudhury Says:

    The patch works great for Umbraco sites that are installed in the root of a website, but it will not fix Umbraco 4.5 sites where it is installed in a virtual directory.

    Is this something that will be addressed?

  21. Gravatar ImageJames Knowles Says:

    Any chance you get a release of the source so that we can build and see what you did to fix this issue. I currently cannot get the patch to work on 4.0 and 4.0.2.1 . But I would be more than happy to work on fixing those myself if I could see what you put in place.

  22. Gravatar ImageGuy Pucill Says:

    Just applied the patch to my website umbraco v 4.5.2 (Assembly version: 1.0.3891.20719)
    - worked perfectly. It took only 30 sec. Thanks team!

    Only two small typos. ;-)

    "Your umbraco installation has been upgrade, the following tasks has been performed:"

    Should be

    "Your umbraco installation has been upgraded, the following tasks have been performed:"

    Regards/Guy

  23. Gravatar ImageTobias Says:

    Just wanted to notify about three errors in the manual installation guide:

    1. There is a typo in the web.config section (as noted by another user). Should be "poetPatcher".
    2. There is also a typo for the 404handlers.config file. It should be "Umbraco.PoetPatcher" for the assembly value. The difference is the capital U in Umbraco (I guess tha actual problem is the dll-name).
    3. You have to add the folder /umbraco/plugins/poetPatcher and then add the CustomErrors.aspx page in it. Its basically an empty html-page which has the "An error occurred while processing your request." text inside the body tag.

  24. Gravatar ImageNorthk Says:

    Thanks to the Umbraco team for creating a patch so quickly-- the package worked great for me.

    I'm wondering how we should provide a custom 404 page that matches the rest of our site though-- perhaps we should replace umbraco/plugins/PoetPatcher/CustomError.aspx with our own error page...which would be displayed for any and all errors that come up (including 404 errors)?

    Can someone please confirm that this is the right way to provide a custom 404 page given the current circumstances?

    Thanks

  25. Gravatar ImageSijmenK Says:

    Did not work the first time for me on W2008R2, umbraco v 4.5.2 (Assembly version: 1.0.3891.20719), installed on it's own iis7 'site'.

    Had to install and run a second time, successfully!

  26. Gravatar Imagewtct Says:

    Why wy can't set own 404 page in defaultRedirect attribute?

  27. Gravatar Imagewtct Says:

    What is more the status code of Not Found Page is 200 OK...

  28. Gravatar ImageMatt Says:

    Not sure if anyone has mentioned this yet, but in your pdf guide, specifically this part



    it is very important that you get these details right, for best results, copy the text from this document to
    your web.config file

    This has a typo. poetpathcer should be poetpatcher.

  29. Gravatar ImageFerry Meidianto Says:

    Thanks guys, it simplifies the security update job.

  30. Gravatar ImageHartvig Says:

    @wtct: As much as I agree on both the idea of a custom 404 message AND that you should return proper status codes (whether 500 or 404), the recommendation given from Microsoft is to return the exact same page with error code 200.

    Please understand that this is temporary until Microsoft comes with a patch and at least it's better than having your site compromised despite the obvious SEO issues it'll cause.

  31. Gravatar Imageismail mayat Says:

    Guys,

    Just to update the patch also works nicely with umbraco 4.0.2.1 on asp.net 35sp1 on win2k3.

    Regards

    Ismail

  32. Gravatar ImageDave Rollins Says:

    FYI - Your instructions have an error in them!



    Should be

  33. Gravatar ImageAnders Says:

    Great work, thanks :-)

  34. Gravatar ImageGianluca Colucci Says:

    I installed the patch by installing the available package. Umbraco did everything by itself and I was not requested to perform manually any operation. I can see there is the PoetPatcher folder in umbraco/plugins, and inside it I have CustomError.aspx, Guide.pdf and patch.ascx.

    However since I installed this, sometimes, when I click on "save & publish" I get a message which reports "an error occurred while processing your request". If I repeat the operation I second time, it works.

    Why is this happening? Can anyone help me to understand what it is wrong?

    Thanks in advance,
    Gianluca.

  35. Gravatar ImagePeter Bro Says:

    Colucci - I see the same as you. Nothing is put in the umbracoLog?

    Any ideas?

  36. Gravatar ImageGianluca Colucci Says:

    Hi folks!

    @Peter:
    yes, I have few exceptions, too long to be pasted here or even in a paste-online site.
    Anyway, these are the short versions:

    1st: Error adding to SiteMapProvider: System.InvalidOperationException: Multiple nodes with the same URL '/it/homepage/company/online-support.aspx' were found.

    2nd: At /umbraco/editContent.aspx?id=1246 [...] A node with id '1757' already exists

    Do you think these could be the cause? How can I fix them?

    Thank you a lot again for your help,
    Cheers,
    Gianluca.

  37. Gravatar ImageJV Says:

    Since including the ASP.NET Security Vulnerability patch, saving folders in the media section causes this error "An error occurred while processing your request."

  38. Gravatar ImageAndreas Says:

    Dont know if this is because of the path, but after I patched it, umbraco logs me out and then I cant log in again. It says it's the wrong password. But after a restart of the IIS server I can login again.

  39. Gravatar ImagePeter Bro Says:

    @Gianluca: I don't have the solution for the problem but I am seing the same error for one of my customers.

    As I see it, the errors in the umbracolog has nothing to do with this error.

  40. Gravatar ImagePeter Bro Says:

    Hi again.

    I found the problem. By setting customErrors to "Off" it was pretty obviously what the problem was.

    For me it was:
    Could not allocate space for object 'dbo.cmsPropertyData'.'PK_cmsPropertyData' in database 'db-name' because the 'PRIMARY' filegroup is full.

    Remember to set the customError back to what it was.

  41. Gravatar ImageGeoff Baldwin Says:

    Hi,
    very new to Umbraco and still fiding my way around.
    Tried to install this patch on my forst development site and got this:

    Your site is vulnerable.

    * Custom errors should have a default error page
    A custom error page can return a friendly error message without exposing system information
    * 404 error pages leading to different page
    Your website should only contain a single type of error page for all server errors (including 404)

    * Unable to update web.config
    Your security settings prohibits us from patching this issue automaticly

    * Unable to update /config/404handlers.config
    Your security settings prohibits us from patching this issue automaticly

    Unable to apply patch automatically

    Your settings need to be updated, but it looks like this will have to be done manually.

    To perform this action manually please take a look at our upgrade guide.

    Additionally you can place this security tester on your developer dashboard and re-run the security test . Unable to update dashboard.config

    Went to the guide and started to follow the instructuions but failed at the first hurdle:
    Items you will need:
    • Information from your web hosting company about your website
    • This zip file containing an update .dll file (click here to download)

    The click here to download is not A LINK! So where do I get the dll?
    Thanks

  42. Gravatar ImageMatt Taylor Says:

    I was thinking of fixing this manually.
    I've been using the errors setting for error404 in the umbracoSettings.config until now.

    Is it not enough to just set a custom error page in the web.config as shown in ScottGu's blog or do I have to change the 404handlers.config too?

  43. Gravatar ImagePetr Says:

    Patch is released today...
    http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

  44. Gravatar Imagedc2010 Says:

    there is a typo in the Guide.pdf for the manual install of the package (this pdf is included in the package)

    it states your redirect should be



    it should be poetpatcher, not poetpathcer, as in


  45. Gravatar Imagedc2010 Says:

    well, my tags have been erased in the comment, but this is the correct path to include in customerrors

    ~/umbraco/plugins/poetpatcher/CustomError.aspx

    not

    ~/umbraco/plugins/poetpathcer/CustomError.aspx

  46. Gravatar ImageJames Says:

    Special note for anyone using a custom "umbracoPath" this package will place PoetPatcher files in the wrong place(/umb...). Simply copying "plugins" to your custom path seems to take care of it and return 200's for everything.

  47. Gravatar ImageJT Says:

    The MS patch is now available via Windows Update FYI. For those of you that are confused, you do not need to do any of the steps above if you apply the Microsoft patch.

  48. Gravatar ImageAlex Says:

    What about 4.5 version?
    Does it have same hole or do we have to install same pathc and it will take care of it?

Leave a comment