Hackers aemed with a single PC and a minimal broadband
connection can ripple web servers, putting a huge number of websites and apps
at risk. Gregg Keizer explains
Security researchers recently revealed a
vulnerability in the handling of hash tablets by programming languages that
puts sites and apps at risk of a denial of service (DoS) attack. Microsoft,
whose ASP.Net programming language is one of several affected, quickly shipped
an out of band update,designated ‘MS11-100’.
The problem exists in many of the web’s
most popular app and site programming languages, including ASP.Net, PHP, Ruby,
Java and V8 JavaScript, according to researchers Alex Klink and Julian Walde.
Klink and Walde traced the flaw to the
handing of hash tables, a programming structure used to store and retrieve
data.
Unless a language randomizes hash functions
or takes into account ‘hash collisions’ (when multiple data generates the same
hash), attackers can calculate the data that will trigger large numbers of
collisions, then send that data as a simple http request. Because each
collision chews up processing cycles on the targeted server, a hacker using
relatively small attack packets could consume all the processing power of even
well-equipped servers.
Microsoft confirmed that a single 100k http
request sent to a server running ASP.Net could consume 100 percent of a CPU
core for 90-110 seconds.
“An attacker could potentially repeatedly
issue such requests, causing performance to degrade significantly enough to
cause a DoS condition for even multi-core servers or clusters of servers,”
company engineers Suha Can and Jonathan Ness said in a blog.
Klink and wale estimated that packets as
small as 6k would keep a single core processor busy on a Java server.
The implications are significant for web
apps and sites that run on those servers.
Small-scale attacks with huge impact
“An attacker with little resources can
effectively take out a site fairly easily,” said Andrew Storms, director of
security operations at nCircle Security. “No botnet is required to create havoc
here.”
Microsoft’s rush to patch the flaw in
ASP.Net hinted at the seriousness of the bug. Can and Ness said the firm
“anticipates the imminent public release of exploit code”, and urged customers
to apply the patch.
Other programming language developers have
already offered fixes for their software. Ruby, for instance, has issued an
update that includes a new randomized hash function, while PHP has shipped a
release candidate for version 5.4.0.
Some, however, will take their time
implementing a fix, said Klink and Walde.
Oracle told them there wasn’t anything to
patch in Java itself, but said it would update the GlassFish Java server
software with a future fix.
Klink and Walde credited another pair of
researchers Scott Crosby and Dan Wallach for outlining the attack vector in
2003, and applauded the Perl programming language for patching its flaw then.
Meanwhile, they chastised other vendors for not tackling the problem years ago.
“I’d have to agree that we all expected
vendors to have fixed this by now,” said Storms. “On the other hand, there’s a
lot of research out there and it’s not always possible to be on top of
everything. It’s not as though this kind of attack has been ongoing in the wild
since 2003 and everyone refused to fix it.”
Klink and Walde reported their research to
the Open Source Computer Security Incident Response Team in September. The
organization contacted the various vendors responsible for the affected
languages.
The patch from Microsoft was its only out
of band update in 2011 and Storms, who had only recently praised the company
for not having to go out of band, noted that he had at the time issued a
caveat. “I did say at the December Patch Tuesday that it had a few weeks to go
before the year was over,” he said in an instant message.
Microsoft delivered MS11-100 via its usual
Windows Update and Windows Server Update Service (WSUS) channels.
