CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.2)  

CWE-299: Improper Check for Certificate Revocation

 
Improper Check for Certificate Revocation
Weakness ID: 299 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

Trust may be assigned to an entity who is not who it claims to be.

Integrity
Other

Technical Impact: Other

Data from an untrusted (and possibly malicious) source may be integrated.

Confidentiality

Technical Impact: Read application data

Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
...
without a get_verify_results
+ Potential Mitigations

Phase: Architecture and Design

Ensure that certificates are checked for revoked status.

+ Other Notes

An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory295Certificate Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness BaseWeakness Base296Improper Following of Chain of Trust for Certificate Validation
Research Concepts1000
PeerOfWeakness BaseWeakness Base297Improper Validation of Host-specific Certificate Data
Research Concepts1000
PeerOfWeakness BaseWeakness Base298Improper Validation of Certificate Expiration
Research Concepts1000
PeerOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts1000
ParentOfWeakness BaseWeakness Base370Missing Check for Certificate Revocation after Initial Check
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to check for certificate revocation
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 23: Improper Use of PKI, Especially SSL." Page 347. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Other_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10Failure to Check for Certificate Revocation
Back to top
Page Last Updated: May 14, 2012
 

CWE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us