Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277872 (CVE-2009-0217) - VU#466161: XML signature HMAC truncation authentication bypass (CVE-2009-0217)
Summary: VU#466161: XML signature HMAC truncation authentication bypass (CVE-2009-0217)
Alias: CVE-2009-0217
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Keywords: Tracker
Depends on:
Blocks: 277873 277875 277876 277878 305195
  Show dependency tree
Reported: 2009-07-15 00:42 UTC by Robert Buchholz (RETIRED)
Modified: 2015-10-23 18:57 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 00:42:53 UTC
The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.

I. Description
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2014. When HMAC truncation is under the control of an attacker, however, this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.

II. Impact
This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.
Comment 1 Patrice Clement gentoo-dev 2015-10-23 18:57:04 UTC
No further blocker. Closing this bug.