Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
Weakness ID: 593 (Weakness Variant) | Status: Draft |
Description Summary
Extended Description
If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.
Scope | Effect |
---|---|
Authentication | No authentication takes place in this process, bypassing an assumed protection of encryption. |
Confidentiality | The encrypted communication between a user and a trusted host may be subject to a "man in the middle" sniffing attack. |
Example 1
Phase: Architecture and Design Use a language which provides a cryptography framework at a higher level of abstraction. |
Phase: Implementation Most SSL_CTX functions have SSL counterparts that act on SSL-type objects. |
Phase: Implementation Applications should set up an SSL_CTX completely, before creating SSL objects from it. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 592 | Authentication Bypass Issues | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | Weakness Base | 666 | Operation on Resource in Wrong Phase of Lifetime | Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
94 | Man in the Middle Attack |
Modifications | ||||
---|---|---|---|---|
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes, Potential Mitigations |