CVE-2012-5885 in Tomcatinfo

Summary

by MITRE

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/20/2021

The vulnerability identified as CVE-2012-5885 represents a critical flaw in Apache Tomcat's implementation of HTTP Digest Access Authentication that fundamentally undermines the security mechanisms designed to prevent unauthorized access. This weakness affects multiple versions of the popular web application server including 5.5.x versions before 5.5.36, 6.x versions before 6.0.36, and 7.x versions before 7.0.30. The flaw specifically targets the replay countermeasure functionality, which is essential for protecting against replay attacks where malicious actors attempt to reuse valid authentication tokens to gain unauthorized access to protected resources.

The technical implementation error occurs when Tomcat processes HTTP Digest authentication requests by incorrectly tracking client nonce values rather than the proper server nonce and nonce-count values. In standard HTTP Digest authentication, the server generates a unique nonce value for each authentication request, and the client includes both a client nonce (cnonce) and a nonce count (nc) in their response. These values work together to ensure that each authentication attempt is unique and cannot be replayed successfully. However, in the vulnerable Tomcat versions, the system fails to properly track the server-generated nonce and nonce-count values that are crucial for detecting replay attempts, instead focusing on client-provided values that are less effective for security purposes.

This misimplementation creates a significant operational impact that directly enables remote attackers to bypass intended access restrictions through simple network sniffing activities. Attackers can capture valid authentication requests from the network traffic and reuse these captured credentials to gain unauthorized access to protected resources without needing to know the actual passwords. The vulnerability is particularly dangerous because it operates at the authentication layer, meaning that successful exploitation can lead to complete system compromise if attackers can access sensitive data or administrative functions. Unlike CVE-2011-1184 which addresses different aspects of digest authentication, this vulnerability specifically targets the replay protection mechanism that should prevent exactly this type of credential reuse attack.

The security implications extend beyond simple authentication bypass to include potential privilege escalation and data exposure risks. According to CWE classification, this vulnerability maps to CWE-310, which addresses cryptographic weaknesses in authentication mechanisms, and specifically relates to CWE-312, which deals with the exposure of sensitive information through improper handling of authentication tokens. From an ATT&CK framework perspective, this vulnerability enables T1110.003 (Password Cracking) and T1566.001 (Phishing) techniques by providing attackers with valid credentials that can be used to access protected resources. The flaw essentially renders the authentication mechanism ineffective against replay attacks, making it easier for attackers to perform unauthorized access attempts and potentially escalate privileges within the affected systems.

Organizations using vulnerable Tomcat versions should immediately implement mitigations including upgrading to the patched versions, implementing additional network security controls such as encrypted connections, and monitoring for suspicious authentication patterns. The most effective solution remains applying the vendor patches that correct the nonce tracking implementation to properly handle server nonce values and nonce-count values for replay protection. Network segmentation and additional authentication layers should also be considered as defensive measures, while security monitoring should focus on detecting unusual authentication patterns that might indicate credential replay attempts.

Reservation

11/17/2012

Disclosure

11/17/2012

Moderation

accepted

Entry

VDB-62933

CPE

ready

EPSS

0.08980

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!