So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around which will protect you against the attack until a patch is issued.

With regard to the work around it’s important to note that the work around requires you must return the same error page for every error in your application, be it an exception or page not found. The addition of a small random delay to error page delivery reduces the possibility of a timing attack (where the time taken to produce an error can be used to infer information). The attack does not rely on having full stack trace errors, or any of the things you would normally disable for a live site, so it’s important that you apply the work around on every site until a patch comes along.

If you have questions please use the forum dedicated to the issue.

Technorati Tags: ,,