Bug 739119 (CVE-2012-3543)

Summary: VUL-1: CVE-2012-3543: mono-web: hash collision denial of service attacks in ASP.net
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P4 - Low CC: astieger, ddobrev, hhetter, jeremie.laval, max, meissner, orphaned, security-team, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:62324:moderate maint:released:sle10-sp3:62464 maint:running:63215:moderate maint:released:oes11-sp2:63216 maint:released:oes2015:63217
Found By: Third Party Developer/Partner Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch for mono master
Patch for mono 2-10

Description Marcus Meissner 2012-01-02 10:00:22 UTC 
is public via CVE diff.

The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka "Collisions in HashTable May Cause DoS Vulnerability."

Reference: CERT-VN: http://www.kb.cert.org/vuls/id/903934
Reference: MISC: http://www.ocert.org/advisories/ocert-2011-003.html
Reference: MISC: http://www.nruns.com/_downloads/advisory28122011.pdf
Reference: MS: http://technet.microsoft.com/security/bulletin/MS11-100


I have not yet cross checked if it affects Mono ASP.NET, but I guess it does.
Comment 1 Swamp Workflow Management 2012-01-02 23:00:12 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2012-07-04 08:31:42 UTC 
Dobrin, here is another mono issue (perhaps), but of low severity
Comment 3 Jérémie LAVAL 2012-07-25 13:05:45 UTC 
Created attachment 499891 [details]
Patch for mono master
Comment 4 Jérémie LAVAL 2012-07-25 13:06:09 UTC 
Created attachment 499892 [details]
Patch for mono 2-10
Comment 5 Jérémie LAVAL 2012-07-25 13:06:55 UTC 
On behalf of Marek Habersack:

The attached patches fix the vulnerability - contact us at support@xamarin.com if you have any follow-up questions. The fix was committed to the following Mono branches:

master:
        2ab1a051058fee5ea3aec2e071fba7000b693488
        c3e088bf2fc22d66d0f17b74676de366f661c3eb

mono-2-10:
        04245de5c480db5dff5983467f7a8606f1321ed6
        049bb49f1c5b650166de2a266bc1879c5def0190
Comment 6 Marcus Meissner 2012-07-25 14:18:22 UTC 
thank yoU!

reopen for tracking... reassign to me for package building when needed
Comment 7 Marcus Meissner 2012-08-28 15:12:50 UTC 
-> orphaned.

please incldue in current mono-core update too.
Comment 9 Marcus Meissner 2012-08-28 15:20:19 UTC 
cve requested
Comment 10 Sebastian Krahmer 2012-08-29 06:28:05 UTC 
CVE-2012-3543
Comment 11 Reinhard Max 2012-12-10 09:52:23 UTC 
(In reply to comment #7)

> please incldue in current mono-core update too.

I am not aware of another current mono-core update.
Comment 12 Thomas Biege 2012-12-10 16:36:33 UTC 
I assume MArcus pointed to https://swamp.suse.de/webswamp/swamp/template/DisplayWorkflow.vm/workflowid/48165 which is already done. :-\
Comment 13 Marcus Meissner 2015-11-04 15:34:27 UTC 
(so far was not released)
Comment 14 Swamp Workflow Management 2015-11-04 16:19:38 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-11-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62324
Comment 15 Reinhard Max 2015-11-12 17:09:12 UTC 
None of the patches provided above seems to apply to any of the Mono versions we have on SLE-10-SP3, SLE-11-SP0 and SLE-11-SP2.
Comment 18 Swamp Workflow Management 2015-12-18 09:17:50 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62382
Comment 24 Andreas Stieger 2016-01-21 12:00:33 UTC 
Hello Reinhard, please review these proposed patches.

You will also find them building in ibs:
home:AndreasStieger:branches:OBS_Maintained:mono-core
Comment 25 Reinhard Max 2016-01-21 15:47:10 UTC 
submitted
Comment 28 Swamp Workflow Management 2016-01-27 15:12:19 UTC 
SUSE-SU-2016:0257-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 739119,958097
CVE References: CVE-2009-0689,CVE-2012-3543
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mono-core-2.6.7-0.16.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    mono-core-2.6.7-0.16.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    mono-core-2.6.7-0.16.1
SUSE Linux Enterprise Server 11-SP4 (src):    mono-core-2.6.7-0.16.1
SUSE Linux Enterprise Server 11-SP3 (src):    mono-core-2.6.7-0.16.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    mono-core-2.6.7-0.16.1
Comment 29 Swamp Workflow Management 2016-12-01 13:07:49 UTC 
SUSE-SU-2016:2958-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 739119,958097
CVE References: CVE-2009-0689,CVE-2012-3543
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mono-core-2.6.7-0.18.1
SUSE Linux Enterprise Server 11-SP4 (src):    mono-core-2.6.7-0.18.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    mono-core-2.6.7-0.18.1