The Tech Herald

Microsoft releases patch for hash collision DoS

by Steve Ragan - Dec 30 2011, 00:35

Microsoft releases patch for hash collision DoS.(IMG:J.Anderson)

Microsoft and several other platform developers have either addressed, or are currently working to resolve, a hash collision problem, which if exploited can trigger a denial-of-service condition. On Thursday, Microsoft pushed an emergency patch to address the issue on .NET, making them the latest to correct it.

The problem was first researched and exposed in 2003, but later research has discovered the issue on a wider scale, including most of the mainstream web development platforms deployed today.

At issue is the POST function, which can attacked to trigger a DoS. According to n.runs AG, the firm that reported on the issue, the usage of hash tables in Perl and CRuby was found vulnerable to collisions in 2003, prompting the platforms introduce randomization in order to address the issue.

Today, the same condition of collision has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.

“Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks. As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack (not necessarily against the same website),” the n.runs AG report explains.

The initial n.runs AG research is here.

The Ruby, Tomcat, and PHP security teams have addressed the issue, with new releases and mitigations. Oracle hasn’t made any moves to address the problem, and Microsoft went out-of-band to release a patch for the issue on Thursday.

“While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible,” Microsoft said in a statement.

During the 28th CCC conference in Germany (28c3), Alexander Klink and Julian Wälde discuss the vulnerability. The video is available here, and worth the time spent watching if you’re a developer or systems administrator.

“We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work,” noted Qualys’ Wolfgang Kandek.

“The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500, which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.”

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Nissan GT-R NISMO Available in Gran Turismo 6

Nissan and Sony have added the new Nissan GT-R NISMO to the in-game dealerships in  Gra...

2015 Kia Soul EV Prices

Kia have announced prices for their all-new Kia Soul EV. The company says this is their firs...

Celebrity Photographer Uli Weber Lauches New Goodwood Revival Book

Celebrity and fashion photographer Uli Weber is to launch a new book at this year’s Goodwood...

The Gorgeous Aston Martin Virage Shooting Brake Zagato (PICS)

World-famous Italian car design firm Zagato have revealed pics of their new one-off Aston Ma...

2015 Lincoln Navigator Pictures

We have added some pictures of the 2015 Lincoln Navigator. The new model features a 3.5...