Description:
SPI Labs has reported a vulnerability in ASP.NET, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an input validation error in the "System.Xml.Serialization.Xml.XmlSerializationReader.ReadReferencedElements()" function. This can be exploited to cause an infinite loop and consume a large amount of CPU resources on a vulnerable system by sending a specially crafted SOAP message to a RCP/encoded web method, which takes an array as input.

Solution:
Use the document/literal mode for web services handling input from untrusted sources.

The vulnerability will reportedly be fixed in an upcoming release.

Provided and/or discovered by:
Bryan Sullivan and Sacha Faust, SPI Labs.

Original Advisory:
SPI Labs:
http://www.spidynamics.com/spilabs/advisories/aspRCP.html

Via Secunia.Com