CWE-593 认证绕过:SSL对象创建后修改OpenSSL CTX对象
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
The software modifies the SSL context after connection creation has begun.
扩展描述
If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 666 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism | No authentication takes place in this process, bypassing an assumed protection of encryption. |
| Confidentiality | Read Application Data | The encrypted communication between a user and a trusted host may be subject to a "man in the middle" sniffing attack. |
可能的缓解方案
Architecture and Design
策略:
Use a language or a library that provides a cryptography framework at a higher level of abstraction.
Implementation
策略:
Most SSL_CTX functions have SSL counterparts that act on SSL-type objects.
Implementation
策略:
Applications should set up an SSL_CTX completely, before creating SSL objects from it.
示例代码
例
The following example demonstrates the weakness.
bad C
#define CERT2 "secret2.pem"
int main(){
SSL ssl;
init_OpenSSL();
seed_prng();
ctx = SSL_CTX_new(SSLv23_method());
if (SSL_CTX_use_certificate_chain_file(ctx, CERT) != 1)
if (SSL_CTX_use_PrivateKey_file(ctx, CERT, SSL_FILETYPE_PEM) != 1)
if (!(ssl = SSL_new(ctx)))
if ( SSL_CTX_set_default_passwd_cb(ctx, "new default password" != 1))
if (!(ssl2 = SSL_new(ctx)))
相关攻击模式
- CAPEC-94