Fixing ASP.NET Assembly Signing Bypass (CVE-2008-5100)

TL;DR

The CVE-2008-5100 vulnerability allows attackers to potentially replace legitimate ASP.NET assemblies with malicious ones if strong naming verification isn’t enforced correctly. This guide explains how to check your systems and apply the necessary fixes, primarily involving configuring web.config for proper assembly loading.

Understanding the Problem

ASP.NET relies on strong names (digital signatures) to verify the authenticity of assemblies. If this verification isn’t properly configured, an attacker could drop a malicious assembly into your application’s bin folder and it might be loaded instead of the genuine one. This is especially risky if you have applications that rely on shared assemblies.

Checking Your Vulnerability

1. Review web.config: The key to this vulnerability lies in how your web.config file handles assembly loading. Look for the <assemblies> section, specifically any entries using the assemblyIdentity tag with a publicKeyToken attribute.
2. Check for missing or weak configuration: If you find assemblies configured without explicit strong name verification, your application might be vulnerable.

Fixing the Vulnerability

The primary fix is to ensure that ASP.NET *always* verifies assembly signatures before loading them. Here’s how:

1. Explicitly Specify Assembly Versions and Public Keys: Instead of relying on broad assembly names, specify the exact version and public key token in your web.config file. This prevents attackers from substituting older or malicious versions.
   • Find the correct public key token for each assembly you need to reference. You can do this using tools like .NET Reflector or by examining the assembly’s properties in Visual Studio.
   • Update your web.config file with specific details. For example:

   <assemblies>
     <assemblyIdentity name="System.Web" publicKeyToken="b03f5f7f11d50a3a" version="4.0.0.0" culture="neutral"/>
     <assemblyIdentity name="MyAssembly" publicKeyToken="yourPublicKeyTokenHere" version="1.0.0.0" culture="neutral"/>
   </assemblies>

2. Use the requireStrongName Attribute: Set this attribute to true in your application’s configuration file. This forces ASP.NET to verify assembly signatures.

   Add or modify the following setting within the <system.web> section of your web.config:

   <system.web>
     <compilation requireStrongName="true"/>
     </system.web>

3. File System Permissions: Ensure that the application’s bin folder has appropriate permissions to prevent unauthorized modification of assemblies.
   • Restrict write access to only necessary accounts (e.g., the application pool identity).
4. Consider Code Access Security (CAS): While CAS is largely deprecated, if you are still using it, review your security policies to ensure they don’t inadvertently allow malicious assemblies to run.
5. Regularly Scan for Malicious Assemblies: Implement a regular scanning process to detect any unauthorized or modified assemblies in your application’s bin folder. Use an anti-virus solution or dedicated file integrity monitoring tool.

Testing the Fix

1. Attempt Assembly Substitution: Try replacing a legitimate assembly with a dummy one (do this in a test environment!). If your configuration is correct, ASP.NET should refuse to load the malicious assembly and throw an exception.
   • Look for exceptions related to strong name verification failures in the application logs or event viewer.
2. Monitor Application Logs: After applying the fix, closely monitor your application logs for any errors related to assembly loading or security violations.

Further Information

You can find more details about CVE-2008-5100 and its mitigation on Microsoft’s website: Microsoft Security Bulletin