Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability

CVE ID: CVE-2008-3842 CVE-2008-3843

When did QID 90780 become a PCI Failing Vulnerability?

It was added on March 14, 2012 as an urgent request by a large Acquiring Institution and was listed as a PCI Failure immediately.

What versions of Microsoft ASP.NET are vulnerable?

Microsoft has confirmed that ASP.NET versions 1 and 2 are both vulnerable.

Additionally, testing has confirmed that ASP.NET version 3 is also vulnerable, as it includes the vulnerable component from version 2 by default. This vulnerability has been confirmed and the exploit works on a fully patched version 3.

What versions of Microsoft ASP.NET are not vulnerable?

ASP.NET version 4 is not vulnerable, as it does not use the vulnerable ΓÇÿValidateRequestΓÇÖ Filter.

How is this vulnerability detected?

If a vulnerable version of ASP.NET Framework is running on the target device, we will report this vulnerability. Typically the Scan Results will show ΓÇ£X-AspNet-Version: 1.1.4322ΓÇ£ for vulnerable v.1 installations, and ΓÇ£X-AspNet-Version: 2.0.50727ΓÇ¥ for vulnerable v.2 or v.3 installations.

Since this is being detected based upon the .NET Framework Version, shouldnΓÇÖt this be reported as a Potential Vulnerability?

This vulnerability is based upon the detection of the vulnerable framework being installed and running. The framework itself is vulnerable, with or without the ValidateRequest Filter. If the ValidateRequest Filter is used, it can be bypassed, to exploit the framework. If the ValidateRequest Filter is not used, the framework can also be exploited, as no filtering would be present. For this reason, we feel the framework itself is vulnerable, and so the detection of this framework being installed/running is reported as a confirmed vulnerability.

Ok, so we are vulnerable. How do we fix this?

The standard solution would be to upgrade to a non-vulnerable framework, such as ASP.NET version 4. ASP.NET version 1 is 10 years old, and version 2 is 7 years old, and so it probably does make sense to migrate to a more current framework for your Internet Facing PCI Infrastructure, which should be kept up to date with the latest versions and security patches.

I need to fix this for PCI Compliance, but I canΓÇÖt upgrade to ASP.NETversion 4. What else can I do?

PCI Compliance is focused on the Real World Risk to Cardholder Data. For this reason, 1 Stop PCI Scan can accept QID 90780 as a false positive exception, if proof can be provided that the vulnerability is not exploitable. In this case, the Real World Risk is that Cross-Site Scripting (XSS) may be possible, and so any proof must include exhaustive Cross-Site Scripting (XSS) testing. You can then submit this via the standard False Positive Request Workflow, and then reply to the ticket with your additional proof attached. Acceptable proof could include one or more of the following:

  • Web Application Scan
  • Penetration Test
  • Code Review
  • Audit
  • Other

My Compliance Report is already due, and I don’t have time to address this. What can I do?

You can reach out to your Acquiring Institution and request an Exception. You can submit your PCI Report, and let your Acquirer know you are working to remediate this new issue but you need some additional time to fully address it, and that you expect to have it remediated by your next quarterly report (for example). Reasonable Exception Requests are typically granted by Acquiring Institutions, who understand that PCI Compliance is an on-going process, and itΓÇÖs not always possible to be 100% compliant all of the time. However, ultimately the decision, and any associated timeline, will be between you and your Acquiring Institution.

What if I have a large number of systems with this vulnerability reported? Do I need to provide ΓÇ£ProofΓÇ¥ for all of them?

If all of these systems are in scope for PCI, then yes, we will need to validate that all systems are fully compliant for PCI.

What if I currently donΓÇÖt have any of the above mentioned ΓÇ£ProofΓÇ¥ currently available?

We can work with you to provide you with access to additional tools that will allow you to obtain the required proof. This may also help you to satisfy other required sections of the PCI Data Security Standard, which you may not yet have developed a process for.