Man in the Middle Attack |
Attack Pattern ID: 94 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Very High | Status: Draft |
Summary
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakeage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Attack Execution Flow
The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication between the two target components.
An attacker can eavesdrop on the communication between the target components.
Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.
The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.
Description
Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.
Related Vulnerabilities
CVE-2006-0231
Skill or Knowledge Level: Medium
This attack can get sophisticated since the attack may use cryptography.
The attacker can try to get the public-keys of the victims.
There are free software tool to perform man in the middle attack (packet anlaysis, etc.)
Get your Public Key signed by a Certificate Authority
Encrypt your communication using cryptography (SSL,...)
Use Strong mutual authentication to always fully authenticate both ends of any communications channel.
Exchange public keys using a secure channel
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
300 | Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Targeted |
290 | Authentication Bypass by Spoofing | Secondary |
593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | Secondary |
287 | Improper Authentication | Targeted |
294 | Authentication Bypass by Capture-replay | Secondary |
724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Secondary |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to![]() |
---|---|---|---|---|---|
ChildOf | ![]() | 22 | Exploiting Trust in Client (aka Make the Client Invisible) | Mechanism of Attack (primary)1000 | |
ChildOf | ![]() | 151 | Identity Spoofing (Impersonation) | Mechanism of Attack (primary)1000 | |
ParentOf | ![]() | 57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle | Mechanism of Attack (primary)1000 | |
ParentOf | ![]() | 219 | XML Routing Detour Attacks | Mechanism of Attack (primary)1000 |
CWE - Man-in-the-middle (MITM)
M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.