Microsoft warned of a publicly known flaw in ASP.NET. The vulnerability affects all versions of the software. There are no reports on attacks in the wild.
The vulnerability is not very dangerous but its worrisome as an attacker does not need a lot of resource to launch devastating DoS. Microsoft informs that „a single, specially crafted ~100kb HTTP request can consume 100 percent of one CPU core for between 90 to 110 seconds“. It means that „The vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even a cluster of web servers“.
Andrew Storms from nCircle says such attacks are very rare. „Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it“.
The vulnerability is due to ASP.NET handles values in form post in a way that causes hash collision.
Storms thinks such flaws are not Microsoft’s specific and can affect also other software.

Source: SC Magazine
29.12.2011