Galin Iliev's blog

Software Architecture & Development

Vulnerability in ASP.NET Could Allow Denial of Service

A newly discovered vulnerability could allow DoS attack. Microsoft issued critical security bulletin MS11-100 on the case which contains update packages.

Eweek reports:

The exploit uses a specially crafted HTTP request containing thousands of form values to create a hash table that is computationally expensive to process. Any ASP.NET Website that accepts form data is likely to be vulnerable, as well as Web servers running the default configuration of Internet Information Services (IIS) when ASP.NET is enabled...

MS Security Research & Defense blog describe the issue in details as well as background on the workaround. Here is an excerpt:

This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers.

Since it is very easy to bring servers down with specially crafted HTTP request it is best to patch your web server immediately to avoid attacks