Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an "out-of-band" patch for its ASP.NET platform just hours later.
Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation -- the hash function -- performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with 'hash collisions,' where two or more different pieces of data generate the same hash.
A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander "alech" Klink of German security consultancy n.runs and Julian "zeri" W
An attacker with knowledge of how a web application calculates hashes can send it a batch of data sure to result in many collisions, "making it possible to exhaust hours of CPU time using a single HTTP request," Klink and W
PHP 5, Java and ASP.NET are all vulnerable to the attack, the two said in their advisory and in a related presentation at the Chaos Communication Congress in Berlin.
Microsoft published a security advisory later Wednesday, acknowledging that a vulnerability in ASP.NET could allow a denial of service attack, and suggesting a work-around for the problem. Shortly afterwards the company announced that it will break from its regular monthly security update schedule to release a patch for the vulnerability on Thursday at around 10 a.m. Pacific Time.
Klink and W
Web application platform developers had plenty of warning of the problem, according to Klink and W
Changes were made to Perl that year to randomize the way hashes are calculated, preventing attackers from calculating collisions ahead of time, and similar changes were subsequently made to CRuby from version 1.9, they said.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at firstname.lastname@example.org.