Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft XML Signature HMAC Truncation Bypass Vulnerability (MS10-041)

Subscribe

Check Point Reference: CPAI-2010-201
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS10-041
Industry Reference(s): CVE-2009-0217
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft .NET Framework 1.0 SP3
Microsoft .NET Framework 1.1 SP1
Microsoft .NET Framework 2.0 SP1
Microsoft .NET Framework 2.0 SP2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5.1
Vulnerability Description
A tampering vulnerability exists in the Microsoft .NET Framework that could allow an attacker to tamper with signed XML content without being detected. The Microsoft .NET Framework is a component of the Microsoft Windows operating system that enables building and running software applications and Web services. A remote attacker may exploit this issue to bypass authentication.
Update/Patch Available
Update patches:
Microsoft Security Bulletin MS10-041
Vulnerability Details
The vulnerability is caused by the way that the W3C XML Signature Syntax and Processing (XMLDsig) recommendation has been implemented in the Microsoft .NET Framework. An attacker could exploit this issue by sending a specially crafted XML content to a vulnerable system. Successful exploitation of this vulnerability could allow an attacker to bypass certain cryptographic signatures and as a result, tamper with signed XML content without the receiver detecting the changes.

Protection Overview
This protection will detect and block the transferring of malformed XML files over HTTP.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft XML Signature HMAC Truncation Bypass (MS10-041) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft XML signature HMAC truncation bypass (MS10-041)

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Content Protection > Microsoft XML Signature HMAC Truncation Bypass (MS10-041).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft XML signature HMAC truncation bypass (MS10-041)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > HTML, and select the .NET protection group.
3. Click .NET Common Language Runtime Tampering (MS10-041) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: .NET Vulnerabilities
Description: .NET Common Language Runtime Tampering (MS10-041)