João Ribeiro

Exchange Server ;Office Communications Server and Windows Mobile / Phones

UPDATE !! Microsoft Security Advisory 2418042 ( Former 2416728), the ASP.NET Vulnerability, and Exchange Server !!

UPDATE – 28/09/2010

A new Security Bulletin was released relating this Vulnerability :

Microsoft Security Bulletin MS10-070 – Important: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

Microsoft Security Bulletin MS10-070 – Important

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

Published: September 28, 2010

Version: 1.0

General Information

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

======================= |========================= |=========================== |================================== |==========================| =====================

On September 17, Microsoft released Microsoft Security Advisory (2416728), “Vulnerability in ASP.NET Could Allow Information Disclosure.” As stated in the advisory, Microsoft is investigating a new public report of a vulnerability in ASP.NET. Additional information about the issue can also be found in Understanding the ASP.NET Vulnerability on the Microsoft Security Research and Defense blog, and in the following blog posts by Microsoft .NET Developer Platform Vice President Scott Guthrie:

All Microsoft Exchange versions starting with Exchange 2003 use ASP.NET in a manner where potential for this vulnerability exists. However, if you have implemented a default configuration within your environment there are only a handful of files which may contain sensitive data that could be potentially accessed. In addition this sensitive data is only useable if the attacker has managed to penetrate the additional defense layers built into Exchange.

How to detect an attack on Exchange

An attack attempt against Exchange Server should generate warnings in the application event log of your server similar to:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/11/1111 11:11:11 AM
Event time (UTC): 11/11/1111 11:11:11 AM
Event ID: 1309
Event sequence: 133482
Event occurrence: 44273
Event detail code: 0
Application information:
Application domain: c1db5830-1-129291000036654651
Trust level: Full
Application Virtual Path: /
Application Path: C:\foo\TargetWebApplication\
Machine name: FOO
Process information:
Process ID: 3784
Process name: WebDev.WebServer40.exe
Account name: foo
Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and cannot be removed.

We strongly recommend customers monitor their Application logs for instances of this event and investigate them if seen. These event logs would contain an Event Occurrence field that provides a counter of the number of exceptions triggered.

Note: You may also see this warning event logged due to other reasons (including cases for example where you have mismatched keys on a web-farm, or a search engine is following links incorrectly, etc), so its presence does not necessarily indicate an attack of this nature.

The presence of this ‘Event Occurrence’ also does not indicate that an attack was successful.

If the event is detected and you believe it is the ASP.NET attack, it is possible to use stateful filters in your firewall or intrusion detection systems on your network to detect patterns and block malicious clients.

As indicated in the advisory, Microsoft is currently working to develop a security update to address this vulnerability with details of any fix released in the future being reposted on this blog and the Microsoft Security Advisory (2416728) page.

Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution. We will post again to inform Exchange customers once this security update has been released to resolve the ASP.Net issue. We do not have an ETA for this fix being available at the time of writing. Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server

Posted by Kevin Bellinger @

Kind regards,


João Ribeiro