Sun has released a security notification and patches to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Description
Multiple implementations of XML Signature Syntax and Processing contain a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication and access protected resources.
The vulnerability exists when an implementation of XML Signature Syntax and Processing (XMLDsig) handles HMAC truncation, as specified in the standards document, RFC 2104. An unauthenticated, remote attacker who can control the HMAC truncation could create a crafted HMAC truncation element that, when presented to the XMLDsig process, could be accepted by that process. The attacker could use this method to bypass authentication and access protected resources.
Multiple vendors have confirmed this vulnerability and released updates.
Warning Indicators
Multiple vendors' implementations of XML Signature Syntax and Processing are vulnerable.
IntelliShield Analysis
This vulnerability exists because the specifications for XMLDsig and HMAC truncation do not adequately address the case in which an attacker can supply a crafted HMAC truncation to the XMLDsig process.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the June 2010 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for June 2010
Vendor Announcements
HP has released a security bulletin c01925304 at the following link: HPSBUX02476 SSRT090250
IBM has released a security alert at the following link: CVE-2009-0217
Sun has released alert notifications at the following links: 263429 and 269208
Sun has released a security notification at the following link: CVE-2009-0217
US-CERT has released a vulnerability note at the following link: VU#466161
Impact
An unauthenticated, remote attacker could exploit this vulnerability to access protected resources.
Technical Information
The vulnerability is due to a lack of input sanitization when an affected product is handling HMAC truncations from an untrusted source. An unauthenticated, remote attacker could create an HMAC truncation with HMACOutputLength set to 1. In this case, only one bit of the signature is verified. Under such a condition, the attacker would need only two attempts before obtaining an element with the only verified bit in the correct state. Exploitation could allow the attacker to access protected resources.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators are advised to monitor affected systems for signs of suspicious activities.
Patches/Software
HP has released updated software at the following links:
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Oracle has released patches for registered users at the following link: Oracle
RSA has released updated software for registered users at the following links: 8473 and 8474
Sun has released updated software at the following links:
JDK 6 Update 15 for Solaris is available in the following patches:
SPARC Java SE 6 Update 15 (as delivered in patch 125136-16) Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
Intel Java SE 6_x86 Update 15 (as delivered in patch 125138-16) Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))
For customers with a valid support contract:
SPARC Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 128640-13 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 128643-13 or later Sun GlassFish Enterprise Sever v2.1 with patch 128647-13 or later
Intel Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 128641-13 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 128644-13 or later Sun GlassFish Enterprise Sever v2.1 with patch 128648-13 or later
Linux Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 128642-13 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 128645-13 or later Sun GlassFish Enterprise Sever v2.1 with patch 128649-13 or later
Windows Sun GlassFish Enterprise Sever v2.1 with HADB with patch 128646-13 or later Sun GlassFish Enterprise Sever v2.1 with patch 128650-13 or later
AIX Sun GlassFish Enterprise Sever v2.1 with patch 137916-12 or later
For customers without a valid support contract:
SPARC Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 141709-02 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 141700-02 or later Sun GlassFish Enterprise Sever v2.1 with patch 141704-02 or later
Intel Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 141710-02 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 141701-02 or later Sun GlassFish Enterprise Sever v2.1 with patch 141705-02 or later
Linux Sun GlassFish Enterprise Sever v2.1 with HADB (Package Based) with patch 141711-02 or later Sun GlassFish Enterprise Sever v2.1 with HADB with patch 141702-02 or later Sun GlassFish Enterprise Sever v2.1 with patch 141706-02 or later
Windows Sun GlassFish Enterprise Sever v2.1 with HADB with patch 141703-02 or later Sun GlassFish Enterprise Sever v2.1 with patch 141707-02 or later
AIX Sun GlassFish Enterprise Sever v2.1 with patch 141708-02 or later
Apache has released an SVN update; however, stable release versions are unavailable.
Sun has released patches for StarOffice/StarSuite for relevant platforms at the following link: CVE-2009-0217
Version 19, June 8, 2010, 7:42 PM: Microsoft has released a security bulletin and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 18, March 01, 2010, 10:58 PM: FreeBSD has released a security advisory and updated OpenOffice.org packages to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 17, February 12, 2010, 3:51 PM: OpenOffice.org has released a security advisory and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 16, January 14, 2010, 3:32 PM: Red Hat has released an additional security advisory and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 15, January 8, 2010, 9:53 AM: MontaVista Software has re-released a security alert and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 14, January 4, 2010, 9:44 AM: Red Hat has released an additional security advisory and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 13, December 11, 2009, 8:56 AM: Red Hat has released additional security advisories and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 12, November 16, 2009, 9:29 AM: MontaVista has released a security alert and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 11, November 12, 2009, 8:28 AM: HP has released a security bulletin and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 10, November 2, 2009, 8:31 AM: Sun has released an additional alert notification and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability. CentOS has also released updated software to address this vulnerability.
Version 9, October 21, 2009, 9:41 AM: Oracle has released a security advisory and patches to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 8, September 9, 2009, 10:31 AM: Red Hat has released an additional security advisory and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 7, September 4, 2009, 8:54 AM: Apple has released a security advisory and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 6, August 27, 2009, 12:58 PM: IBM has released a security alert to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 5, August 7, 2009, 9:44 AM: Red Hat has released a security advisory and updated packages to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 4, August 6, 2009, 8:13 AM: Sun has released an alert notification and updated software to address the XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 3, July 24, 2009, 2:53 PM: Apache has released a changelog and SVN updates to address the multiple vendor XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 2, July 16, 2009, 4:42 PM: RSA has released a security advisory and updated packages to address the multiple vendor XML Signature Syntax and Processing HMAC truncation remote authentication bypass vulnerability.
Version 1, July 15, 2009, 4:09 PM: Multiple implementations of XML Signature Syntax and Processing contain a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication and access protected resources. Updates are available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
