Microsoft and several other platform developers have either addressed, or are currently working to resolve, a hash collision problem, which if exploited can trigger a denial-of-service condition. On Thursday, Microsoft pushed an emergency patch to address the issue on .NET, making them the latest to correct it.
The problem was first researched and exposed in 2003, but later research has discovered the issue on a wider scale, including most of the mainstream web development platforms deployed today.
At issue is the POST function, which can attacked to trigger a DoS. According to n.runs AG, the firm that reported on the issue, the usage of hash tables in Perl and CRuby was found vulnerable to collisions in 2003, prompting the platforms introduce randomization in order to address the issue.
Today, the same condition of collision has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.
“Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks. As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack (not necessarily against the same website),” the n.runs AG report explains.
The initial n.runs AG research is here.
The Ruby, Tomcat, and PHP security teams have addressed the issue, with new releases and mitigations. Oracle hasn’t made any moves to address the problem, and Microsoft went out-of-band to release a patch for the issue on Thursday.
“While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible,” Microsoft said in a statement.
During the 28th CCC conference in Germany (28c3), Alexander Klink and Julian Wälde discuss the vulnerability. The video is available here, and worth the time spent watching if you’re a developer or systems administrator.
“We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work,” noted Qualys’ Wolfgang Kandek.
“The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500, which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.”