CAPEC-217: Exploiting Incorrectly Configured SSL/TLS

An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

Not rated

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.

CAPEC-217: Exploiting Incorrectly Configured SSL/TLS

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-217?

How does a Exploiting Incorrectly Configured SSL/TLS attack work?

How do you prevent CAPEC-217?

What weaknesses does CAPEC-217 target?

How severe is CAPEC-217?

References

Defend against CAPEC-217

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-217?

How does a Exploiting Incorrectly Configured SSL/TLS attack work?

How do you prevent CAPEC-217?

What weaknesses does CAPEC-217 target?

How severe is CAPEC-217?

References

Defend against CAPEC-217