CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types
CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-358: Improperly Implemented Security Check for Standard

Weakness ID: 358
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Modes of Introduction

This is an implementation error, in which the algorithm/technique requires certain security-related behaviors or conditions that are not implemented or checked properly, thus causing a vulnerability.

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism

+ Observed Examples
ReferenceDescription
Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).
Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
Security check not applied to all components, allowing bypass.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfWeakness ClassWeakness Class573Improper Following of Specification by Caller
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts1000
ChildOfCategoryCategory978SFP Secondary Cluster: Implementation
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness BaseWeakness Base290Authentication Bypass by Spoofing
Research Concepts1000
CanAlsoBeWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Research Concepts1000
PeerOfWeakness BaseWeakness Base325Missing Required Cryptographic Step
Research Concepts1000
+ Relationship Notes

This is a "missing step" error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERImproperly Implemented Security Check for Standard
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description
2009-10-29CWE Content TeamMITREInternal
updated Modes_of_Introduction, Observed_Examples, Other_Notes, Relationship_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017 
 

Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org.

CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
Privacy policy
Terms of use
Contact us