CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.
Last updated
Overview
Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted. If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more.
What the attacker needs
Prerequisites
- Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms.
Skills required
- High skill: Cryptanalysis of signature verification algorithm
- High skill: Reverse engineering and cryptanalysis of signature verification algorithm implementation
How to mitigate it
Defenses that reduce the risk of CAPEC-475.
- Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.
Examples
The Windows CryptoAPI (Crypt32.dll) was shown to be vulnerable to signature spoofing by failing to properly validate Elliptic Curve Cryptography (ECC) certificates. If the CryptoAPI's signature validator allows the specification of a nonstandard base point (G): "An adversary can create a custom ECDSA certificate with an elliptic curve (ECC) signature that appears to match a known standard curve, like P-256 that includes a public key for an existing known trusted certificate authority, but which was in fact not signed by that certificate authority. Windows checks the public key and other curve parameters, but not the (bespoke adversary-supplied) base point generator (G) parameter constant which actually generated the curve" [REF-562]. Exploiting this vulnerability allows the adversary to leverage a spoofed certificate to dupe trusted network connections and deliver/execute malicious code, while appearing as legitimately trusted entity [REF-563]. This ultimately tricks the victim into believing the malicious website or executable is legitimate and originates from a properly verified source. See also: CVE-2020-0601
Frequently asked questions
Common questions about CAPEC-475.
- What is CAPEC-475?
- An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.
- How do you prevent CAPEC-475?
- Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.
- What weaknesses does CAPEC-475 target?
- CAPEC-475 exploits 3 CWE weaknesses, including CWE-295 (Improper Certificate Validation), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), CWE-347 (Improper Verification of Cryptographic Signature).
- How severe is CAPEC-475?
- MITRE rates CAPEC-475 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-475
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.