Web developers must take this time to ensure that their applications do not set this switch to an insecure value.Īs part of this advisory, we are also publishing a KB article on how to resolve “validation of view state MAC failed” exceptions that may have led developers to set EnableViewStateMac=false in the first place.
Applications which set EnableViewStateMac=false may no longer function properly once this update is pushed out.
The next version of ASP.NET will forbid setting EnableViewStateMac=false. However, it is safer to search all file extensions. To see if your application is vulnerable, search the source files that comprise your application for the term EnableViewStateMac (all one word), and verify that the switch is never set to false anywhere in your application. The EnableViewStateMac switch has a default value of true unless the web developer has explicitly set this switch to false. This is an example of a remote code execution (RCE) attack. If a web developer sets EnableViewStateMac=false for any page in his site, an attacker could leverage this to upload and invoke arbitrary executable code within the context of the web service account. MSDN warns against setting this switch to false on a production site due to the ability for an attacker to forge malicious payloads. Insecure ASP.NET Web Forms (.aspx) configuration could allow remote code executionīy default, ASP.NET Web Forms contains the configuration setting EnableViewStateMac=true, which helps verify that the _VIEWSTATE field and related fields haven’t been tampered with. See KB 2905244 for more information on how to update the version of SignalR used by your application. At the time of this article’s publication, the latest supported 2.x version is 2.0.1. This version of SignalR is vulnerable to the attack, and applications which rely on it should upgrade to the latest 2.x version as soon as possible. At the time of this article’s publication, the latest supported 1.x version is 1.1.4. These versions of SignalR are vulnerable to the attack, and applications which rely on them should upgrade to the latest 1.x version as soon as possible.
It is recommended that applications upgrade to the latest 1.x version to remain in a supported state. However, the 1.0.x branch is not under active support by Microsoft. These versions of SignalR are not vulnerable to this attack, so no update is necessary. If your web application uses SignalR, consult the table below for the recommended course of action. This is an example of a cross-site scripting (XSS) attack. Some versions of ASP.NET SignalR contain a bug which could under certain circumstances allow an attacker to run arbitrary JavaScript in the context of a site visitor’s browser. Cross-site scripting (XSS) vulnerability in ASP.NET SignalR For more information, consult Security TechCenter for this month’s releases. The first is a bulletin affecting certain versions of SignalR the second is an advisory affecting ASP.NET Web Forms (.aspx) applications.
Today is Patch Tuesday, and the ASP.NET team would like to announce that we have two items included in this month’s release.