Home > CAPEC List > CAPEC-217: Exploiting Incorrectly Configured SSL (Version 2.9)  

CAPEC-217: Exploiting Incorrectly Configured SSL

Exploiting Incorrectly Configured SSL
Definition in a New Window Definition in a New Window
Attack Pattern ID: 217
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An adversary takes advantage of incorrectly configured SSL communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

+ Attack Execution Flow
  1. Determine the configuration levels of either the server or client being targeted, preferably both. This is not a hard requirement, as the attacker can simply assume commonly exploitable configuration settings and blindly attempt them.

  1. Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. MITM (man in the middle).

  1. Insert the malicious data into the stream that takes advantage of the configuration flaw.

+ Attack Prerequisites
  • Access to the client/server stream.

+ Typical Likelihood of Exploit

Likelihood: Low

+ Examples-Instances


Using MITM techniques, an attacker launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the attacker to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker needs real-time access to network traffic in such a manner that the attacker can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles.

+ Resources Required

The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time.

+ Probing Techniques

Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.

Probing is as simple as changing this value and watching its effect.

+ Solutions and Mitigations

Usage of configuration settings, such as stream ciphers vs. block ciphers and setting timeouts on SSL sessions to extremely low values lessens the potential impact. Use of later versions of TLS (e.g. TLS 1.1+) can also be effective, but not all clients or servers support the later versions.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Gain privileges / assume identity
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Description SummaryInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07Exploiting Incorrectly Configured SSL Security Levels

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015