Microsoft is issuing an emergency, out-of-band update today to address a serious vulnerability that could enable attackers to conduct denial-of-service attacks using a hash collision attack technique.
If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys
Alexander Klink and Julian Wälde, security researchers
The vulnerability, which was demonstrated by researchers Wednesday at the Chaos Communications Congress in Berlin, is in a variety of popular Web programming languages, including ASP.NET, Java, PHP, Ruby and Apache. The researchers, Alexander Klink and Julian Wälde, said those behind the programming language toolsets are working to close the hash table weakness to prevent cybercriminals from using the attack.
In its security advisory, Microsoft is urging website developers to consider implementing a workaround, blocking potential hash collision attacks until a patch is released.
“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the software giant said. “It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability, but is not aware of any active attacks.”
The researchers issued a coordinated notification paper outlining the hash table multi-collision (.pdf) issue to vendors. In it, they say the weakness has been known since 2003 and has influenced Pearl and cRuby developers to change their hash functions to include randomization, preventing the problem.
“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys,” the two researchers said in their paper.
According to the paper, the weakness could have implications for Web servers serving up Microsoft ASP.NET Web applications. A hacker with a high bandwidth connection could freeze up thousands of PCs, crippling the computers at an enterprise, the researchers said.
The United States Computer Emergency Readiness Team (USCERT) issued an advisory Wednesday, warning of the hash collision attack potentially causing a denial-of-service condition.
“Hash collision denial-of-service attacks were first detailed in 2003, but recent research details how these attacks apply to modern language hash table implementations,” according to the USCERT advisory. An application can be forced into a denial-of-service condition. In the case of some Web application servers, specially crafted POST form data may result in a denial-of-service.
Wolfgang Kandek of vulnerability management vendor Qualys Inc., said the attack technique is fairly simple to carry out and said a common workaround is to limit the request size to a Web server.
“The attack uses the HTTP POST protocol to submit variables to a server, which the server automatically keeps track of. By submitting hundreds of thousands of variables with specifically chosen names that cause name collisions in the hash tables used to store the variables, the CPU of the server is kept active,” Kandek wrote in the vendor’s blog. “This attack mechanism is simple and elegant, causing the server to spend minutes to hours for a single HTTP request.”