English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 92797 CVE descriptions
and 51507 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.902193
Category:Windows : Microsoft Bulletins
Title:Microsoft .NET Framework XML HMAC Truncation Vulnerability (981343)
Summary:Check for the version of System.Security.dll file
Description:Description:

Overview: This host is missing a critical security update according to
Microsoft Bulletin MS10-041.

Vulnerability Insight:
The issue is caused by an error in the XML Signature Syntax and Processing
(XMLDsig) implementation that rely on the 'HMACOutputLength' parameter to
determine the number of bytes of the signature to be verified.

Impact:
Successful exploitation will allow the attackers to forge an XML signature that
will be accepted as valid or to bypass security restrictions.

Impact Level: System/Application.

Affected Software/OS:
Microsoft .NET Framework 3.5/SP 1
Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 1.0 SP 3
Microsoft .NET Framework 2.0 SP 1/SP 2

Fix:
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://technet.microsoft.com/en-us/security/bulletin/MS10-041

References:
http://support.microsoft.com/kb/981343
http://www.vupen.com/english/advisories/2010/1398
http://technet.microsoft.com/en-us/security/bulletin/MS10-041

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-0217
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
AIX APAR: PK80596
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
AIX APAR: PK80627
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
Debian Security Information: DSA-1995 (Google Search)
http://www.debian.org/security/2010/dsa-1995
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
HPdes Security Advisory: HPSBUX02476
http://marc.info/?l=bugtraq&m=125787273209737&w=2
HPdes Security Advisory: SSRT090250
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
Microsoft Security Bulletin: MS10-041
http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx
RedHat Security Advisories: RHSA-2009:1200
https://rhn.redhat.com/errata/RHSA-2009-1200.html
RedHat Security Advisories: RHSA-2009:1201
https://rhn.redhat.com/errata/RHSA-2009-1201.html
RedHat Security Advisories: RHSA-2009:1428
https://rhn.redhat.com/errata/RHSA-2009-1428.html
RedHat Security Advisories: RHSA-2009:1636
https://rhn.redhat.com/errata/RHSA-2009-1636.html
RedHat Security Advisories: RHSA-2009:1637
https://rhn.redhat.com/errata/RHSA-2009-1637.html
RedHat Security Advisories: RHSA-2009:1649
https://rhn.redhat.com/errata/RHSA-2009-1649.html
RedHat Security Advisories: RHSA-2009:1650
https://rhn.redhat.com/errata/RHSA-2009-1650.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
SuSE Security Announcement: SUSE-SA:2009:053 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
SuSE Security Announcement: SUSE-SA:2010:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://www.ubuntulinux.org/support/documentation/usn/usn-826-1
http://www.ubuntu.com/usn/USN-903-1
Cert/CC Advisory: TA09-294A
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Cert/CC Advisory: TA10-159B
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
CERT/CC vulnerability note: VU#466161
http://www.kb.cert.org/vuls/id/466161
BugTraq ID: 35671
http://www.securityfocus.com/bid/35671
http://osvdb.org/55895
http://osvdb.org/55907
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10186
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7158
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8717
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022661
http://secunia.com/advisories/35776
http://secunia.com/advisories/35853
http://secunia.com/advisories/35854
http://secunia.com/advisories/35855
http://secunia.com/advisories/35858
http://secunia.com/advisories/36162
http://secunia.com/advisories/36176
http://secunia.com/advisories/36180
http://secunia.com/advisories/35852
http://secunia.com/advisories/36494
http://secunia.com/advisories/37300
http://secunia.com/advisories/37671
http://secunia.com/advisories/37841
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://secunia.com/advisories/38695
http://secunia.com/advisories/38921
http://secunia.com/advisories/34461
http://secunia.com/advisories/60799
http://secunia.com/advisories/41818
http://www.vupen.com/english/advisories/2009/1900
http://www.vupen.com/english/advisories/2009/1908
http://www.vupen.com/english/advisories/2009/1911
http://www.vupen.com/english/advisories/2009/1909
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2010/0366
http://www.vupen.com/english/advisories/2010/0635
CopyrightCopyright (C) 2010 SecPod

This is only one of 51507 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2016 E-Soft Inc. All rights reserved.