0

KB2418241, KB2416473, and KB2416451 all reference http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

After installing this patches on our Windows Server 2003 machines last Friday, we have been getting a significantly increased rate of errors of the sort:

System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not 
supplied or was invalid. ---> System.Web.HttpException: Validation of viewstate MAC
failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> 
configuration specifies the same validationKey and validation algorithm. AutoGenerate
cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid viewstate.

The setup is as follows:

  • The web applications are running in a web cluster, with the NLB settings to Client Affinity: Single.
  • There are redirects between two separate web applications, and both of their machineKey elements are identical using explicit validationKey and decryptionKey elements.

  • The validation method is set to "SHA1" and the decryption method is set to "AES"

    (Furthermore, no redeployments of the applications have taken since well before the microsoft updates were installed).

These errors could of course be caused by actual CSRF attacks, but I find it unlikely given the volume and the spike corresponding with installation of the updates.

Are there any known issues with this update that could be causing this? (and even better, any known workarounds?)

jscott
  • 24,484
  • 8
  • 79
  • 100
Nathan
  • 306
  • 1
  • 5
  • 13

1 Answers1

0

This problem was indeed caused by the security update. The update changed the way things are validated by additionally signing the encrypted data. This included the AntiForgeryToken cookie.

If the user restarts their browser or otherwise clears all session cookies, the problem goes away.

This was also noted in a comment at http://weblogs.asp.net/scottgu/archive/2010/09/27/asp-net-security-update-shipping-tuesday-sept-28th.aspx

After installing the patch, I was quite freaked out to find requests to my site
failing  - 500s.  But only in one browser.  To sum up: If you have an MVC site, 
and are using Html.AntiForgeryToken() - any existing browser sessions will need 
to be closed and reopened so that the session cookie that was generated before 
the patch was applied, for that antiforgery token, can be killed.   Your existing 
users may need to be informed of this - I can't see anyway to change the name of that 
cookie.

You can also run into this problem when upgrading from MVC 1 to MVC 2:

http://weblogs.asp.net/james_crowley/archive/2010/03/18/beware-upgrade-to-asp-net-mvc-2-0-with-care-if-you-use-antiforgerytoken.aspx

In both cases, a workaround if you can't force your users to restart their browser requires editing the application code and redeploying. You can edit the application so that when the exception occurs, you clear the AntiForgeryToken cookie from the incoming request, and then reissue the token cookie by calling Html.AntiForgeryToken(). However, in doing so, you must take care that you only do it in the appropriate places (e.g. the error page or other page that does not modify data) - otherwise, you lose all the protection from CSRF attacks, which is the whole reason of using the antiforgery token in the first place.

Nathan
  • 306
  • 1
  • 5
  • 13