| Name |
Signature Spoofing by Mixing Signed and Unsigned Content |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data. |
| Prerequisites |
Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified. |
| Solutions | Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-311 |
Missing Encryption of Sensitive Data |
| CWE-319 |
Cleartext Transmission of Sensitive Information |
| CWE-693 |
Protection Mechanism Failure |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-473 |
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions. |
|