CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-347: Improper Verification of Cryptographic Signature

Weakness ID: 347
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not verify, or incorrectly verifies, the cryptographic signature for data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control
Integrity
Confidentiality

Technical Impact: Gain privileges / assume identity; Modify application data; Execute unauthorized code or commands

An attacker could gain access to sensitive data and possibly execute unauthorized code.

+ Demonstrative Examples

Example 1

In the following code, a JarFile object is created from a downloaded file.

(Bad Code)
Example Language: Java 
File f = new File(downloadedFilePath);
JarFile jf = new JarFile(f);

The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead.

+ Observed Examples
ReferenceDescription
Does not properly verify signatures for "trusted" entities.
Insufficient verification allows spoofing.
Insufficient verification allows spoofing.
Accepts a configuration file without a Message Integrity Check (MIC) signature.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Development Concepts699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory859CERT Java Secure Coding Section 14 - Platform Security (SEC)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory959SFP Secondary Cluster: Weak Cryptography
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERImproperly Verified Signature
CERT Java Secure CodingSEC06-JDo not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Improperly Verified Signature

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017