Microsoft Warns of Insecure ASP.NET Machine Keys
February 7, 2025
By Ravie Lakshmanan
Cloud Security / Web Security
Microsoft has warned of an insecure practice where software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, putting their applications in attackers’ pathways.
The tech giant’s threat intelligence team observed limited activity in December 2024 involving an unknown threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
Microsoft has identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which it’s calling ViewState code injection attacks.
What are ViewState code injection attacks?
ViewState is a method used in the ASP.NET framework to preserve page and control values between postbacks. This can also include application data that is specific to a page.
By default, view state data is stored in the page in a hidden field and is encoded using base64 encoding. A hash of the view state data is created from the data by using a machine authentication code (MAC) key. The hash value is added to the encoded view state data and the resulting string is stored in the page.
In using a hash value, the idea is to ensure that the view state data has not been corrupted or tampered with by malicious actors. However, if these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a scenario where the threat actor can leverage the keys to send a malicious ViewState request and execute arbitrary code.
When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.
How to mitigate the risk
Microsoft has provided a list of hash values for the publicly disclosed machine keys, urging customers to check them against the machine keys used in their environments. It has also warned that in the event of a successful exploitation of publicly disclosed keys, merely rotating the keys will not be sufficient as the threat actors may have already established persistence on the host.
To mitigate the risk posed by such attacks, it’s advised to not copy keys from publicly available sources and to regularly rotate keys. As a further step to deter threat actors, Microsoft said it removed key artifacts from "limited instances" where they were included in its documentation.
Other security concerns
The development comes as cloud security company Aqua revealed details of an OPA Gatekeeper bypass that could be exploited to conduct unauthorized actions in Kubernetes environments, including deploying unauthorized container images.
In the k8sallowedrepos policy, a security risk arises from how the Rego logic is written in the ConstraintTemplate file. This risk is further amplified when users define values in the Constraint YAML file that do not align with how the Rego logic processes them. This mismatch can result in policy bypasses, making the restrictions ineffective.
Stay informed
Follow us on Twitter and LinkedIn to read more exclusive content we post.
