CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-599: Missing Validation of OpenSSL Certificate

Weakness ID: 599
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

Extended Description

This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

The data read may not be properly secured, it might be viewed by an attacker.

Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

Trust afforded to the system in question may allow for spoofing or redirection attacks.

Access Control

Technical Impact: Gain privileges / assume identity

If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.

+ Demonstrative Examples

Example 1

The following OpenSSL code ensures that the host has a certificate.

(Bad Code)
Example Language:
if (cert = SSL_get_peer_certificate(ssl)) {
// got certificate, host can be trusted
//foo=SSL_get_verify_result(ssl);
//if (X509_V_OK==foo) ...
}

Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.

+ Potential Mitigations

Phase: Architecture and Design

Ensure that proper authentication is included in the system design.

Phase: Implementation

Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base295Improper Certificate Validation
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory948SFP Secondary Cluster: Digital Certificate
Software Fault Pattern (SFP) Clusters (primary)888
+ Relationship Notes

CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources ("OpenSSL certificate" as a child of "any certificate") and types of behaviors ("not validating expiration" as a child of "improper validation").

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Other_Notes
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2013-02-21CWE Content TeamMITREInternal
updated Demonstrative_Examples, Description, Name, Relationship_Notes, Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11No OpenSSL Certificate Check Performed before Use
2013-02-21Trust of OpenSSL Certificate Without Validation

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017