Many web app frameworks are vulnerable to a denial-of-service attack targeting the way they handle hash tables, researchers revealed Wednesday, prompting Microsoft to announce an “out-of-band” patch for its ASP.NET platform just hours later.
Hash tables are used to store and retrieve data rapidly, allocating the data to different slots in the table based on the results of a calculation — the hash function — performed on the data itself. Ideally, the hash function would return a different result, or hash, for each possible item of data, but this is not achievable in practice, so implementations of hash tables have to deal with ‘hash collisions,’ where two or more different pieces of data generate the same hash.
A collision slows the storage and retrieval of the data involved, the time taken for those operations typically increasing with the square of the number of items involved in the collision, according to Alexander “alech” Klink of German security consultancy n.runs and Julian “zeri” Wälde of Darmstadt Technical University.
An attacker with knowledge of how a web application calculates hashes can send it a batch of data sure to result in many collisions, “making it possible to exhaust hours of CPU time using a single HTTP request,” Klink and Wälde warned in an advisory on Wednesday.
PHP 5, Java and ASP.NET are all vulnerable to the attack, the two said in their advisory and in a related presentation at the Chaos Communication Congress in Berlin.
Microsoft published a security advisory later Wednesday, acknowledging that a vulnerability in ASP.NET could allow a denial of service attack, and suggesting a work-around for the problem. Shortly afterwards the company announced that it will break from its regular monthly security update schedule to release a patch for the vulnerability on Thursday at around 10 a.m. Pacific Time.
Klink and Wälde said in their security advisory that the Java application server Apache Tomcat had already been patched “to limit the number of request parameters using a configuration parameter,” stopping an attacker from causing too many hash collisions at once. “The default value of 10,000 should provide sufficient protection,” they wrote. The update can be found in Tomcat versions 7.0.23 and 6.0.35 onwards.
Web application platform developers had plenty of warning of the problem, according to Klink and Wälde: The attack was described as long ago as 2003, they said, in the Usenix Security paper “Denial of Service via Algorithmic Complexity Attacks” by Scott A. Crosby and Dan S. Wallach.
Changes were made to Perl that year to randomize the way hashes are calculated, preventing attackers from calculating collisions ahead of time, and similar changes were subsequently made to CRuby from version 1.9, they said.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.