Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 277872 (CVE-2009-0217)

Summary: VU#466161: XML signature HMAC truncation authentication bypass (CVE-2009-0217)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Keywords: Tracker
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/466161
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 277873, 277875, 277876, 277878, 305195    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 00:42:53 UTC
Overview
The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.

I. Description
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2014. When HMAC truncation is under the control of an attacker, however, this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.

II. Impact
This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.
Comment 1 Patrice Clement gentoo-dev 2015-10-23 18:57:04 UTC
No further blocker. Closing this bug.