Full Report
Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway. The tech giant's threat intelligence team said it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static ASP.NET
Analysis Summary
# Vulnerability: ASP.NET Remote Code Execution via Publicly Disclosed Machine Keys
## CVE Details
- CVE ID: Not explicitly listed, described as a systemic insecure practice related to ViewState code injection (historically related to CVE-2020-0688).
- CVSS Score: Not explicitly provided. Severity inferred as High due to Remote Code Execution (RCE).
- CWE: CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) or CWE-321 (Cleartext or Weakly Protected Keys) if keys are hardcoded. (The core issue is key reuse/disclosure enabling RCE).
## Affected Systems
- Products: Applications utilizing the Microsoft ASP.NET framework that employ default or non-rotated cryptographic machine keys.
- Versions: Unspecified versions of ASP.NET where developers incorporate publicly disclosed Machine Keys for ViewState validation/encryption.
- Configurations: Applications using ASP.NET ViewState where the `machineKey` (specifically the validation/decryption key) used is publicly known, either by being copied from public repositories or reused across environments.
## Vulnerability Description
Threat actors can leverage publicly disclosed, static ASP.NET `machineKey` values (used for ViewState MAC and encryption) to forge or modify ViewState data. ASP.NET uses this key by default to digitally sign (MAC) and encrypt ViewState, ensuring integrity and confidentiality between postbacks. If the attacker possesses the correct key, they can craft a request containing malicious serialized code within the ViewState field. When the targeted IIS web server processes this request, it successfully validates and decrypts the malicious ViewState, leading to the execution of arbitrary code within the context of the worker process. Microsoft observed an unknown threat actor utilizing this technique to deploy the Godzilla post-exploitation framework.
## Exploitation
- Status: Observed limited activity in December 2024 involving an unknown threat actor.
- Complexity: Low to Medium, as the required key is publicly available (not requiring compromise/theft of a specific target's key).
- Attack Vector: Network (HTTP POST request containing the malicious ViewState).
## Impact
- Confidentiality: High (RCE allows access to system data).
- Integrity: High (Arbitrary code execution).
- Availability: High (Potential for system compromise or denial of service).
## Remediation
### Patches
- No specific software patches are mentioned for this systemic security practice issue. The remediation focuses on configuration changes.
### Workarounds
1. **Key Rotation:** Immediately rotate all ASP.NET machine keys, especially if default keys or keys sourced elsewhere are in use.
2. **Key Management:** Strictly prohibit copying machine keys from publicly available sources (e.g., code snippets, public code repositories). Ensure application-specific keys are unique and properly secured.
3. **Verification:** Customers are urged to check current machine keys against the list of known, publicly disclosed hash values provided by Microsoft.
## Detection
- Indicators of Compromise (IoC): Detection should focus on outbound connections or file modifications indicative of post-exploitation frameworks like Godzilla following web requests.
- Detection Methods and Tools: Microsoft provided a specific PowerShell script (`MachineKeyScan.ps1`) designed to help customers scan their environments for matching machine keys. Monitor web server logs for suspicious POST requests containing large or unusual ViewState values.
## References
- Vendor Advisories: Microsoft Security Blog (dated February 2025, as implied by context referencing December 2024 activity).
- Relevant Links:
- Microsoft Machine Key Hash List: `github.com/microsoft/mstic/blob/master/RapidReleaseTI/MachineKeys.csv` (Defanged)
- Machine Key Scanning Script: `github.com/microsoft/mstic/blob/master/RapidReleaseTI/MachineKeyScan.ps1` (Defanged)