Microsoft ASP.NET CaseInsensitiveHashProvider.getHashCode() function denial of service (HTTP_URL_TooMany_Parameters_DoS)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This event triggers when an HTTP request (other than a 'POST'), contains more than pam.http.url_values.limit name=value pairs. Such a request could cause a denial of service in typical non-ASP engines including, but not limited to PHP, Java and Python.

See also:
http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx
http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf

Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: A false alarm is indicated when this event triggers on sessions directed to servers which are not running a vulnerable CGI application, but when the session includes more than pam.http.url_values.limit name=value parameters. In such instances, either tune the event to ignore the permissible traffic or disable the event. A false positive is not indicated when this event triggers on sessions directed to servers which are not running a vulnerable CGI application. In such instances, either tune the event to ignore the permissable traffic or disable the event.

False negatives

Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: Only the ampersand ('&') character is considered as a delimiter between 'name=value' pairs in URL encoded query-data. No other character (such as the pipe ('|')) is considered as substitute for the ampersand. If your web application uses a delimiter other than the ampersand to delimit discreet name=value pairs, then this event will not trigger.

Default risk level

 Medium

Sensors that have this signature

Proventia Desktop: 2715, Proventia Network IPS: XPU 31.122, RealSecure Server Sensor: XPU 31.122, RealSecure Network: XPU 31.122, Proventia-G 1.1 and earlier: XPU 31.122, Proventia Network IDS: XPU 31.122, Proventia Network MFS: XPU 31.122, IBM Security Server Protection for Windows: 2.1.14.2715, Virtual Server Protection for Vmware: XPU 31.122, Proventia Server IPS for Linux technology: 31.122

Systems affected

Microsoft .NET Framework: 1.1 SP1, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft .NET Framework: 2.0 SP2, Microsoft .NET Framework: 3.5 SP1, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium, Microsoft .NET Framework: 3.5.1, Microsoft .NET Framework: 4.0, Microsoft Windows 7: SP1 x64, Microsoft Windows Server 2008: R2 SP1 x64, Microsoft Windows Server 2008: R2 SP1 Itanium

Type

Denial of Service

Vulnerability description

How to remove this vulnerability

References