| Name |
Signature Spoof |
|
| Likelyhood of attack |
Typical severity |
| Medium |
Low |
|
| Summary |
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions. |
| Prerequisites |
The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions. The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature. |
| Solutions | |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-290 |
Authentication Bypass by Spoofing |
| CWE-327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1036.001 |
Masquerading: Invalid Code Signature |
| 1553.002 |
Subvert Trust Controls: Code Signing |
|