Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Description

This vulnerability occurs when a protocol or system allows negotiating a security algorithm (like encryption) but chooses a weaker option than the strongest one both parties support, creating an unnecessary security gap.

Extended Description

This flaw, often called an algorithm downgrade attack, happens because the negotiation process doesn't prioritize the most secure mutual option. Attackers can exploit this by interfering with the handshake to force the use of a broken or outdated algorithm, making subsequent attacks like decryption or spoofing significantly easier. From a developer's perspective, the danger is that the system operates without alerting users to the reduced protection. For example, if an attacker forces a connection to use basic encryption instead of strong AES-256, they can later decrypt traffic with minimal effort, bypassing the intended security entirely. The core fix is to implement negotiation logic that always selects the strongest mutually-available algorithm and rejects weak fallbacks.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Observed Examples 5

CVE-2006-4302Attacker can select an older version of the software to exploit its vulnerabilities.

CVE-2006-4407Improper prioritization of encryption ciphers during negotiation leads to use of a weaker cipher.

CVE-2005-2969chain: SSL/TLS implementation disables a verification step (Missing Cryptographic Step) that enables a downgrade attack to a weaker protocol.

CVE-2001-1444Telnet protocol implementation allows downgrade to weaker authentication and encryption using an Adversary-in-the-Middle AITM attack.

CVE-2002-1646SSH server implementation allows override of configuration setting to use weaker authentication schemes. This may be a composite with External Control of Critical State Data.

Modes of Introduction

Architecture and Design

Related Attack Patterns

Related Weaknesses

ChildOf:

Protection Mechanism Failure (CWE-693)

Notes

RelationshipThis is related to Channel Accessible by Non-Endpoint, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.