Vulnerability Note VU#466161 - XML signature HMAC truncation authentication bypass Overview The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication. Description XML Signature Syntax and Processing (XMLDsip): A W3C recommendation for XML Digital Signature, commonly used by web services like SOAP. The specification includes support for HMAC truncation but does not follow RFC2104's recommendation on HMAC truncation length, potentially leading to authentication bypass. Impact Attackers can bypass the XML Signature authentication mechanism due to HMAC truncation. Solution Apply an update: Check vendor updates. Erratum E03 has set minimum HMAC truncation values. Vendor Information Affected Vendors: Apache XML Security, Apple Inc., Debian GNU/Linux, IBM Corporation, Mono-Project, Oracle Corporation, RSA Security, Inc., Sun Microsystems, Inc., XML Security Library. Not Affected: Force10 Networks, Inc. CVSS Metrics Base score not computed. Temporal and Environmental metrics not specified. References W3C XML Digital Signature Errata (e03) HMAC Truncation in XML Signature Various supporting documents and reports Acknowledgements Reported and documented by Thomas Roessler of W3C and Will Dormann. Other Information CVE ID: CVE-2009-0217 Severity Metric: 8.16 Publication Date: 2009-07-14 Document Revision: 29