CVE-2011-3414
published 2011-12-30CVE-2011-3414: The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5…
PriorityP271high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
58.89%
99.0th percentile
The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka "Collisions in HashTable May Cause DoS Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_xp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector is sending many crafted HTTP form parameters to trigger hash collisions in the ASP.NET HashTable, causing CPU exhaustion (DoS). Detection should focus on HTTP POST requests with an abnormally large number of form parameters targeting ASP.NET endpoints. ↗
- →The vulnerable function is CaseInsensitiveHashProvider.getHashCode within the HashTable implementation of the ASP.NET subsystem. Monitoring for excessive CPU consumption on .NET/Mono web servers correlating with high-volume form parameter submissions is a key detection signal. ↗
- →The same hash collision DoS vulnerability also affects Mono .NET implementations (tracked as CVE-2012-3543). Detection logic should cover both Microsoft ASP.NET and Mono-hosted web applications. ↗
- ·Affected Microsoft .NET Framework versions are 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0. Detections and mitigations should be scoped to these specific versions. ↗
- ·Mono 2.x is EOL upstream and will not receive a patch for this issue; only Mono 3.x branch received the upstream fix. Environments running Mono 2.x (including Fedora EPEL 5/6 packages) remain permanently unpatched unless manually addressed. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-95wq-73j6-rm8c: The CaseInsensitiveHashProvider
ghsa_unreviewed·2022-05-13
CVE-2011-3414 [HIGH] GHSA-95wq-73j6-rm8c: The CaseInsensitiveHashProvider
The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka "Collisions in HashTable May Cause DoS Vulnerability."
VulnCheck
Microsoft .NET Framework CaseInsensitiveHashProvider.getHashCode Function Vulnerability
vulncheck·2011·CVSS 7.8
CVE-2011-3414 [HIGH] Microsoft .NET Framework CaseInsensitiveHashProvider.getHashCode Function Vulnerability
Microsoft .NET Framework CaseInsensitiveHashProvider.getHashCode Function Vulnerability
The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka "Collisions in HashTable May Cause DoS Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/201203
No detection rules found.
No public exploits indexed.
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14588http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14588
2011-12-30
Published
Exploited in the wild