The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of XML: bypassing signature

Synthesis of the vulnerability 

The XMLDsig recommendation allows an attacker to bypass the signature of an XML document.
Vulnerable systems: Apache XML Security for Java, Debian, Fedora, HP-UX, WebSphere AS Traditional, Mandriva Linux, .NET Framework, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, Oracle GlassFish Server, Java Oracle, RHEL, Unix (platform) ~ not comprehensive.
Severity of this threat: 3/4.
Creation date: 15/07/2009.
Références of this weakness: 269208, 47526, 6868619, 981343, BID-35671, CVE-2009-0217, DSA-1849-1, FEDORA-2009-8121, FEDORA-2009-8157, FEDORA-2009-8456, FEDORA-2009-8473, HPSBUX02476, MDVSA-2009:267, MDVSA-2009:268, MDVSA-2009:269, MDVSA-2009:318, MDVSA-2009:322, MS10-041, PK80596, PK80627, RHSA-2009:1428-01, SSRT090250, VIGILANCE-VUL-8864, VU#466161.

Description of the vulnerability 

The W3C XMLDsig (XML Signature Syntax and Processing) recommendation indicates how to sign XML documents.

HMAC algorithms are used to sign a document, with a key and a hash algorithm.

The XMLDsig ds:HMACOutputLength parameter indicates the number of hash bits which is used on signed data. The recipient of the XML document thus only checks these first bits of the hash.

However, the specification does not define a minimum size. An attacker can therefore send a document signed with a ds:HMACOutputLength value of one, in order to force the recipient to check only one bit.

Several XMLDsig implementation honoured the recommendation, and do not impose a minimum. These implementations are thus vulnerable.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Apache XML Security for Java, Debian, Fedora, HP-UX, WebSphere AS Traditional, Mandriva Linux, .NET Framework, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, Oracle GlassFish Server, Java Oracle, RHEL, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat 

Apache XML Security: version 1.4.3.
Version 1.4.3 is corrected:
  http://santuario.apache.org/

Java 6: version 6 Update 15.
Version 6 Update 15 is corrected:
  http://java.sun.com/javase/downloads/index.jsp

WebSphere AS: versions 6.0.2.35, 6.1.0.25 and 7.0.0.3.
Version 6.0.2.35, 6.1.0.25 or 7.0.0.3 is corrected.

XML Security Library: version 1.2.12.
Version 1.2.12 is corrected:
  http://www.aleksey.com/xmlsec/

Debian: new xml-security-c packages.
New packages are available:
  http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-*_1.2.1-3+etch1_*.deb
  http://security.debian.org/pool/updates/main/x/xml-security-c/libxml-security-c-*_1.4.0-3+lenny2_*.deb

Fedora: new xmlsec1 packages.
New packages are available:
  xmlsec1-1.2.12-1.fc10
  xmlsec1-1.2.12-1.fc11

Fedora: new xml-security-c packages.
New packages are available:
  xml-security-c-1.5.1-1.fc10
  xml-security-c-1.5.1-1.fc11

HP-UX: patch for JDK, SDK and JRE.
A patch is available:
  JDK and JRE v6.0.05
  JDK and JRE v5.0.17
  SDK and JRE v1.4.2.23

Mandriva 2008.0: new mono packages.
New packages are available:
  mono-1.2.5-2.1mdv2008.0

Mandriva 2008.0: new xmlsec1 packages.
New packages are available:
  xmlsec1-1.2.10-5.1mdv2008.0

Mandriva 2009.1: new mono packages.
New packages are available:
Mandriva Linux 2009.1:
mono-2.2-2.1mdv2009.1

Mandriva: new mono packages.
New packages are available:
Mandriva Linux 2008.1:
mono-1.2.6-4.2mdv2008.1
Mandriva Linux 2009.0:
mono-1.9.1-5.2mdv2009.0
Mandriva Enterprise Server 5:
mono-1.9.1-5.2mdvmes5

Mandriva: new xmlsec1 packages.
New packages are available:
Mandriva Linux 2008.1:
xmlsec1-1.2.10-6.1mdv2008.1
Mandriva Linux 2009.0:
xmlsec1-1.2.10-7.1mdv2009.0
Mandriva Linux 2009.1:
xmlsec1-1.2.10-8.1mdv2009.1
Mandriva Enterprise Server 5:
xmlsec1-1.2.10-7.1mdvmes5

RHEL 4, 5: new xmlsec1 packages.
New packages are available:
Red Hat Enterprise Linux version 4: xmlsec1-1.2.6-3.1
Red Hat Enterprise Linux version 5: xmlsec1-1.2.9-8.1.1

Sun GlassFish Enterprise Server: patch for XML.
A patch is available in information sources.

Windows, Microsoft .NET: patch.
The Microsoft announce indicates patches for each system, and workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.