CAPEC-477
Signature Spoofing by Mixing Signed and Unsigned Content
Niski
Wysoki
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
Alert dla konkretnego CAPEC
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CAPEC.
Opisy CAPEC
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
Informacje CAPEC
Wymagania wstępne
Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned dataRecipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified.
Wymagane umiejętności
The attacker may need to continuously monitor a stream of signed data, waiting for an exploitable message to appear.Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit.
Łagodzenie
Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.Powiązane słabości
| Nazwa słabości | |
|---|---|
CWE-693 |
Protection Mechanism Failure The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
CWE-311 |
Missing Encryption of Sensitive Data The product does not encrypt sensitive or critical information before storage or transmission. |
CWE-319 |
Cleartext Transmission of Sensitive Information The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
