December 22, 2014

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.