用户工具

站点工具


cwe:cn:definition:319

CWE-319:敏感数据的明文传输

Description Summary

The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Extended Description

Many communication channels can be “sniffed” by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.

Likelihood of Exploit

Medium to High

Common Consequences

Scope Technical Impace Note
Integrity
Confidentiality
Read application data
Modify files or directories
Anyone can read the information by gaining access to the channel being used for communication.

Detection Methods

Detection Method - 1

Black Box

Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.

Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.

2013/05/30 09:37

Potential Mitigations

Mitigation - 1

Architecture and Design

Encrypt the data with a reliable encryption scheme before transmitting.

Mitigation - 2

Implementation

When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.

Mitigation - 3

Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

Mitigation - 4

Operation

Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.

Demonstrative Examples

Example - 1

The following code attempts to establish a connection to a site to communicate sensitive information.

try { 
URL u = new URL("http://www.secret.example.org/"); 
HttpURLConnection hu = (HttpURLConnection) u.openConnection(); 
hu.setRequestMethod("PUT"); 
hu.connect(); 
OutputStream os = hu.getOutputStream(); 
hu.disconnect(); 
 
} 
catch (IOException e) { 
//... 
 
} 

Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors.

2013/05/30 13:23

Observed Examples

Reference Description
CVE-2002-1949Passwords transmitted in cleartext.
CVE-2008-4122Chain: Use of HTTPS cookie without “secure” flag causes it to be transmitted across unencrypted HTTP.
CVE-2008-3289Product sends password hash in cleartext in violation of intended policy.
CVE-2008-4390Remote management feature sends sensitive information including passwords in cleartext.
CVE-2007-5626Backup routine sends password in cleartext in email.
CVE-2004-1852Product transmits Blowfish encryption key in cleartext.
CVE-2008-0374Printer sends configuration information, including administrative password, in cleartext.
CVE-2007-4961Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).
CVE-2007-4786Product sends passwords in cleartext to a log server.
CVE-2005-3140Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.
cwe/cn/definition/319.txt · 最后更改: 2014/09/04 14:32 (外部编辑)