CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

Description

The product modifies the SSL context after connection creation has begun.

Extended Description

If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

CAPEC-94

Attack TTPs

T1557 — Adversary-in-the-Middle (credential-access, collection)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Common Consequences

Impact: Bypass Protection Mechanism — Notes: No authentication takes place in this process, bypassing an assumed protection of encryption.
Impact: Read Application Data — Notes: The encrypted communication between a user and a trusted host may be subject to a sniffing attack.

Potential Mitigations

Architecture and Design: Use a language or a library that provides a cryptography framework at a higher level of abstraction. (N/A)
Implementation: Most SSL_CTX functions have SSL counterparts that act on SSL-type objects. (N/A)
Implementation: Applications should set up an SSL_CTX completely, before creating SSL objects from it. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

Intro: The following example demonstrates the weakness.

#define CERT "secret.pem" #define CERT2 "secret2.pem" int main(){ SSL_CTX *ctx; SSL *ssl; init_OpenSSL(); seed_prng(); ctx = SSL_CTX_new(SSLv23_method()); if (SSL_CTX_use_certificate_chain_file(ctx, CERT) != 1) int_error("Error loading certificate from file"); if (SSL_CTX_use_PrivateKey_file(ctx, CERT, SSL_FILETYPE_PEM) != 1) int_error("Error loading private key from file"); if (!(ssl = SSL_new(ctx))) int_error("Error creating an SSL context"); if ( SSL_CTX_set_default_passwd_cb(ctx, "new default password" != 1)) int_error("Doing something which is dangerous to do anyways"); if (!(ssl2 = SSL_new(ctx))) int_error("Error creating an SSL context"); }

Notes

No notes available.

← Back to CWE list