HMAC truncation authentication bypass in XML Signature

There is a vulnerability with XML Signatures. The W3C recommendation includes support for HMAC truncation, as specified in RFC2104. The thing is, this support is not complete: The RFC does not allow truncation to less than half of the length of the hash output or less than 80 bits (whatever comes first). The XML Signature recommendation ignored this part of the RFC up to now. So when HMAC truncation is under the control of an attacker this can result in an effective authentication bypass.

On one side this is serious since it is possible to specify an HMACOutputLength of 1, so that only one bit of the signature is verified. This can allow an attacker to forge an XML Signature that will be accepted as valid. US-CERT lists the vulnerable products. Apache XML Security up to version 1.4.2 is vulnerable (among a lot of other products). Since version 1.4.3 should be available tomorrow (including a fix for this bug) at least Apache XML Security users will be on the safe side again. And on the other side the HMACOutputLength feature is not that widely used, so there is no need to panic.

The upcoming XML Signature 1.1 recommendation is already updated. See the Q&A page contains some additional information.