CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-298: Improper Validation of Certificate Expiration

Weakness ID: 298
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Extended Description

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Other

The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.

Authentication
Other

Technical Impact: Other

Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

(Bad Code)
Example Languages: C and C++ 
if (cert = SSL_get_peer(certificate(ssl)) {
foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))
//do stuff

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

+ Potential Mitigations

Phase: Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base295Improper Certificate Validation
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base672Operation on a Resource after Expiration or Release
Research Concepts1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory948SFP Secondary Cluster: Digital Certificate
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Research Concepts1000
PeerOfWeakness BaseWeakness Base370Missing Check for Certificate Revocation after Initial Check
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to validate certificate expiration
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 23: Improper Use of PKI, Especially SSL." Page 347. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2009-10-29CWE Content TeamMITREInternal
updated Description, Other_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2013-02-21CWE Content TeamMITREInternal
updated Applicable_Platforms, Demonstrative_Examples, Relationships, Type
2013-07-17CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10Failure to Validate Certificate Expiration

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017