CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-298: Improper Validation of Certificate Expiration

 
Improper Validation of Certificate Expiration
Weakness ID: 298 (Weakness Base)Status: Draft
+ Description

Description Summary

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Extended Description

When the expiration of a certificate is not taken into account no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity

The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.

Authentication

Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

(Bad Code)
C and C++
if (!(cert = SSL_get_peer(certificate(ssl)) || !host) foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) //do stuff
+ Potential Mitigations
PhaseDescription
Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory295Certificate Issues
Development Concepts (primary)699
PeerOfWeakness BaseWeakness Base296Improper Following of Chain of Trust for Certificate Validation
Research Concepts1000
PeerOfWeakness BaseWeakness Base297Improper Validation of Host-specific Certificate Data
Research Concepts1000
PeerOfWeakness BaseWeakness Base299Improper Check for Certificate Revocation
Research Concepts1000
PeerOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts1000
PeerOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Research Concepts1000
ChildOfWeakness BaseWeakness Base672Use of a Resource after Expiration or Release
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness ClassWeakness Class754Improper Check for Exceptional Conditions
Research Concepts1000
PeerOfWeakness BaseWeakness Base370Missing Check for Certificate Revocation after Initial Check
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to validate certificate expiration
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us