Encryption Bugs (ENC) Examples

CVE-2007-5460

BF Taxonomy

Cause: Weak Encryption Algorithm (XOR xipher with fixed key)

Attributes:
Sensitive Data: Credentials (PINs/passwords)
Data State: Transferred (over network)
Algorithm: Symmetric (that allows obtaining shared key, by sniffing or spoofing the docking process, and decryption)
Security Service: Confidentiality

Consequence: IEX of Sensitive Data credentials

BF Description

Use of weak encryption algorithm (XOR cipher with fixed key) allows obtaining the shared symmetric key (by sniffing or spoofing the docking process) and decryption of transferred (over network) credentials (PINs/passwords), which is confidentiality failure and IEX of sensitive data (PINs/passwords). [1]

CVE Description

"Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user's PIN/Password over the USB connection from the host to the device, which might make it easier for attackers to decode a PIN/Password obtained by (1) sniffing or (2) spoofing the docking process." [2]

Analysis

The following analysis is based on information in [2, 3, 4]): Using electronic codebook (ECB) results in weak encryption, that is a case of deterministic encryption, where patterns in plaintext become evident in the ciphertext.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2002-1697

BF Taxonomy

Causes: Insecure mode of operation (ECB) leads to Weak Encryption Algorithm(for same shared key produces same ciphertext from same plaintext)

Attributes:
Sensitive Data: Any (Credentials, Cryptographic, ...)
Data State: Transferred (over network)
Algorithm: Symmetric (that allows identifying patterns and data recovery)
Security Service: Confidentiality

Consequence: IEX of Sensitive Data

BF Description

Use of insecure mode of operation (ECB) leads to weak symmetric encryption algorithm (for same shared key produces same ciphertext from same plaintext) that allows identifying patterns and recovery of transferred (over network) sensitive data, which is confidentiality failure and IEX of that sensitive data. [5]

CVE Description

"Electronic Code Book (ECB) mode in VTun 2.0 through 2.5 uses a weak encryption algorithm that produces the same ciphertext from the same plaintext blocks, which could allow remote attackers to gain sensitive information." [6]

Analysis

The following analysis is based on information in [6, 7, 8]): The encryption algorithm uses XOR with a fixed key. Using a random one time pad with XOR would be fine, while reusing bits of a key with XOR results in weak encryption.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

References

[1] Bojanova, I., Black, P. E., Yesha, Y., Wu, Yan, Evans, Z., Poster: The Bugs Framework (BF) – First Classes: Buffer Overflow (BOF), Injection (INJ), Control of Interaction Frequency (CIF), STC 2017, NIST, Gaithersburg, MD, USA.

[2] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2007-5460.

[3] BUGTRAQ:20071015 SYMSA-2007-010: Microsoft ActiveSync 4.x Weak Password Obfuscation.

[4] Wikipedia, XOR cipher.

[5] The MITRE Corporation CVE-2002-1697.

[6] Wikipedia, RSA (cryptosystem).

[7] Seclists, Security weaknesses of VTun.

[8] Wikipedia, Deterministic encryption.