Today is Patch Tuesday, and the ASP.NET team would like to announce that we have two items included in this month’s release. The first is a bulletin affecting certain versions of SignalR; the second is an advisory affecting ASP.NET Web Forms (.aspx) applications. Each item is briefly outlined below. For more information, consult Security TechCenter for this month’s releases.
Cross-site scripting (XSS) vulnerability in ASP.NET SignalR
Main article: Bulletin MS13-103 (KB 2905244)
Some versions of ASP.NET SignalR contain a bug which could under certain circumstances allow an attacker to run arbitrary JavaScript in the context of a site visitor’s browser. This is an example of a cross-site scripting (XSS) attack.
Action items
If your web application uses SignalR, consult the table below for the recommended course of action.
SignalR version | Recommended steps |
1.0.0 – 1.0.1 | These versions of SignalR are not vulnerable to this attack, so no update is necessary. However, the 1.0.x branch is not under active support by Microsoft. It is recommended that applications upgrade to the latest 1.x version to remain in a supported state. At the time of this article’s publication, the latest supported 1.x version is 1.1.4. |
1.1.0 – 1.1.3 | These versions of SignalR are vulnerable to the attack, and applications which rely on them should upgrade to the latest 1.x version as soon as possible. At the time of this article’s publication, the latest supported 1.x version is 1.1.4. |
2.0.0 | This version of SignalR is vulnerable to the attack, and applications which rely on it should upgrade to the latest 2.x version as soon as possible. At the time of this article’s publication, the latest supported 2.x version is 2.0.1. |
See KB 2905244 for more information on how to update the version of SignalR used by your application.
Insecure ASP.NET Web Forms (.aspx) configuration could allow remote code execution
Main article: KB 2905247
By default, ASP.NET Web Forms contains the configuration setting EnableViewStateMac=true, which helps verify that the __VIEWSTATE field and related fields haven’t been tampered with. MSDN warns against setting this switch to false on a production site due to the ability for an attacker to forge malicious payloads. If a web developer sets EnableViewStateMac=false for any page in his site, an attacker could leverage this to upload and invoke arbitrary executable code within the context of the web service account. This is an example of a remote code execution (RCE) attack.
Action items
The EnableViewStateMac switch has a default value of true unless the web developer has explicitly set this switch to false. To see if your application is vulnerable, search the source files that comprise your application for the term EnableViewStateMac (all one word), and verify that the switch is never set to false anywhere in your application. The search must minimally include .config, .aspx, .cs, and .vb files. However, it is safer to search all file extensions.
Important note:
The next version of ASP.NET will forbid setting EnableViewStateMac=false. Applications which set EnableViewStateMac=false may no longer function properly once this update is pushed out. Web developers must take this time to ensure that their applications do not set this switch to an insecure value.
As part of this advisory, we are also publishing a KB article on how to resolve "validation of view state MAC failed" exceptions that may have led developers to set EnableViewStateMac=false in the first place. That KB article can be found here.
Additional resources
Further information on this month’s security releases can be found at the following locations:
- December 2013 advisories and bulletins: https://technet.microsoft.com/en-us/security/bulletin/ms13-dec
- MSRC blog: http://blogs.technet.com/b/msrc/
- SRD blog: http://blogs.technet.com/b/srd/