October 26, 2014

Python Happy to put Hash Attack Issues Behind it

(LiveHacking.Com) – The Python development team have released Python 2.7.3 and 3.2.3 to fix Python’s hash based types to make them immune to denial of service attacks as disclosed at  the Chaos Communication Congress event in December 2011. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java and Ruby.

The problem is that computer languages that use hash functions, including Python, are susceptible to collision attacks. To work effectively hash tables require a well-distributed hash function to spread data evenly across the table. The algorithmic complexity of inserting colliding elements into a table makes it possible to exhaust hours of CPU time and cause a denial of service situation. Python has two hash based types dict and set which have been changed to add randomization to the hashing of Python’s string types datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process.

According to the release announcement, “hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it.”

The new versions of Pthyon also update the expat XML parsing library which had the same hash security issue. The hashing algorithm used in the expat library is now randomized.

The update also fixes some other security related bugs:

  • Issue 14001 / CVE-2012-0845 – A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
  • Issue 13885  / CVE-2011-3389 – Disabling of the CBC IV attack countermeasure in the _ssl module.

The team also released Python 2.6.8 and Python 3.1.5 as security-fix source-only releases. 2.6 and 3.1 are now in security maintenance mode only with no new bug fix releases planned. The Python development intend to provide source-only security fixes for the Python 2.6 series until October 2013 (five years after the 2.6 final release) and  for the Python 3.1 series until June 2014 (five years after the 2.6 final release).

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.