Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool. The attack itself preys on a bug in ASP.NET’s AES implementation, which you can read about over here at threatpost. So what’s the reward for a successful attack? It’s not going to allow the attacker to execute code or elevate rights, but it does all the attacker to read potentially sensitive data that could then be further used to compromise the system.
The mitigation for this attack is to obfuscate the server errors by ensuring that no matter what the error, the same error page is returned. This can be done manually in your configurations by addressing the section of the web.config file, or, you can mitigate centrally at your web farm’s front door with (of course!) an iRule.