Exposed ASP.NET machine keys on approximately 3K Microsoft systems could potentially be exploited and weaponized.
In a recent alert, Microsoft has urged developers to secure their ASP.NET machine keys, following the discovery of over 3,000 publicly exposed keys. This vulnerability could potentially supply threat actors with a powerful hacking tool, enabling remote compromise of organisations' servers.
The concern was underscored in December when a threat actor used a publicly available ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. However, it's important to note that the identity of the threat actor remains unattributed.
ViewState, a method used by ASP.NET page frameworks to preserve page and control values between round trips, is particularly at risk in such attacks. If ASP.NET machine keys fall into the wrong hands, they can be used to create a malicious ViewState and gain remote code execution on an enterprise IIS server.
To mitigate these risks, Microsoft has provided a series of best practices to secure ASP.NET machine keys and prevent ViewState code-injection attacks.
1. Use strong, explicitly configured machine keys: Instead of relying on automatically generated or default keys, developers should use strong, explicitly configured keys to prevent attackers from forging ViewState data and executing code remotely.
2. Protect keys at rest: It's crucial to prevent unauthorized access that could allow key extraction and malicious ViewState forgery. Microsoft recommends using secure locations such as Windows DPAPI, secure network shares with keys encrypted using an X.509 certificate, Azure Key Vault, or other key management services for centralised protection and access control.
3. Avoid key exposure: Developers should review and harden their machineKey generation policies and ViewState MAC validation settings to prevent vulnerabilities in older ASP.NET applications.
4. Enable ViewState MAC validation: This ensures data integrity and prevents tampering, a default in modern ASP.NET but should be explicitly confirmed and never disabled.
5. Rotate keys periodically: Regularly rotating keys limits the impact if keys are compromised.
6. Use HTTPS: Protecting the transportation of ViewState data between client and server prevents interception and replay attacks.
7. Monitor for exploitation attempts: Anomalous ViewState payloads or unauthorized file uploads can indicate attempts to inject or execute malicious ViewState code, so it's essential to monitor for such activities.
By following these best practices and securing machine keys with encrypted storage mechanisms, enforcing ViewState MAC validation, and applying secure transport protocols, developers can effectively prevent ViewState code-injection attacks and protect against remote server compromise.
Microsoft has also published hash values for the publicly disclosed machine keys on a GitHub repository and provided a script for customers to check their networks. However, it's unclear if any of the 3,000 exposed keys have been rotated and secured by their respective owners.
Jeremy Dallman, senior director of security research at Microsoft Threat Intelligence, has issued a call to action on LinkedIn regarding the issue of exposed ASP.NET machine keys. Despite the alert, the blog post does not provide any new information about the Godzilla post-exploitation framework or its association with Chinese state-sponsored threat actors.
Microsoft Defender for Endpoint can detect at-risk keys in a network via the alert "Publicly disclosed ASP.NET machine key," according to the vendor. This tool could prove invaluable in identifying and securing vulnerable systems.
In conclusion, the importance of securing ASP.NET machine keys cannot be overstated. By taking proactive measures to protect these keys, developers can significantly reduce the risk of ViewState code-injection attacks and safeguard their servers from potential compromise.
- The discovery of over 3,000 publicly exposed ASP.NET machine keys highlights the need for cybersecurity measures, providing threat actors with opportunities to create malicious ViewState and execute code remotely.
- To mitigate this threat, developers should prioritize the use of strong, explicitly configured machine keys, secure key storage, and ViewState MAC validation, among other best practices, to prevent ViewState code-injection attacks and safeguard data-and-cloud-computing systems.
- Privacy concerns and potential security breaches underscore the importance of implementing advanced technology solutions, such as Microsoft Defender for Endpoint, to help identify and secure at-risk keys within networks, ensuring cybersecurity for organizations and individuals alike.
