Cleartext Transmission of Sensitive Information |
Weakness ID: 319 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.
Scope | Effect |
---|---|
Confidentiality | Anyone can read the contents of the message if they have access to any channel being used for communication. |
Reference | Description |
---|---|
CVE-2002-1949 | Passwords transmitted in cleartext. |
CVE-2008-4122 | Chain: failure to set "secure" flag in HTTPS cookie causes it to be transmitted across unencrypted HTTP. |
CVE-2008-3289 | Product sends password hash in cleartext in violation of intended policy. |
CVE-2008-4390 | Remote management feature sends sensitive information including passwords in cleartext. |
CVE-2007-5626 | Backup routine sends password in cleartext in email. |
CVE-2004-1852 | Product transmits Blowfish encryption key in cleartext. |
CVE-2008-0374 | Printer sends configuration information, including administrative password, in cleartext. |
CVE-2007-4961 | Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294). |
CVE-2007-4786 | Product sends passwords in cleartext to a log server. |
CVE-2005-3140 | Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes. |
Phase: Architecture and Design Encrypt the data with a reliable encryption scheme before transmitting. |
Phase: Implementation When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page. |
Phase: Testing Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. |
Phase: Testing Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption. |
Phase: Operation Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 311 | Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 751 | 2009 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 |
ParentOf | Weakness Variant | 5 | J2EE Misconfiguration: Data Transmission Without SecurityDatabase\Encrypt\Encryption | Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Plaintext Transmission of Sensitive Information |
OWASP. "Top 10 2007-Insecure Communications". <http://www.owasp.org/index.php/Top_10_2007-A9>. |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 9, "Protecting Secret Data" Page 299. 2nd Edition. Microsoft. 2002. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Description, Likelihood of Exploit, Name, Observed Examples, Potential Mitigations, References, Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-01-12 | Plaintext Transmission of Sensitive Information | |||