TID-221: Authentication Bypass By Message Replay
Threat Description
Some devices will allow for authentication over the network, but do not implement mechanisms (i.e. nonces, timestamps) to ensure that messages containing credentials cannot be reused. Devices like these are potentially vulnerable to replay attacks. In these attacks, threat actors may be able to take legitimate packets that were sent over the network, capture them, and send them again to the device. If the device accepts these packets, threat actors may be able to initiate unauthorized actions. Additionally, if threat actors are able to edit the contents of those packets, they can potentially control the device remotely.
Threat Maturity and Evidence
Observed Adversary Behavior
ATT&CK T1212 Exploitation for Credential Access
“Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don’t properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.”
CWE
CWE-294: Authentication Bypass by Capture-replay
“A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).”