CWE-593

Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

Variant

Draft

Description

The product modifies the SSL context after connection creation has begun.

If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.

Parent Weaknesses (ChildOf)

CWE-1390: Weak Authentication...

CWE-666: Operation on Resource in Wrong...

Common Consequences

Scope

Access Control

Impact

Bypass Protection Mechanism

Scope

Confidentiality

Impact

Read Application Data

Potential Mitigations

Architecture and Design

Use a language or a library that provides a cryptography framework at a higher level of abstraction.

Implementation

Most SSL_CTX functions have SSL counterparts that act on SSL-type objects.

Implementation

Applications should set up an SSL_CTX completely, before creating SSL objects from it.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now