Improper Following of Chain of Trust for Certificate ValidationID: 296 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The chain of trust is not followed or is incorrectly followed
when validating a certificate, resulting in incorrect trust of any resource that
is associated with that certificate.
Likelihood of Exploit: Low
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Non-Repudiation | Hide activities | Exploitation of this flaw can lead to the trust of data that may have
originated with a spoofed source. |
IntegrityConfidentialityAvailabilityAccess_Control | Gain privileges / assume
identityExecute unauthorized code or
commands | Data, requests, or actions taken by the attacking entity can be
carried out as a spoofed benign entity. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Ensure that proper certificate checking is included in the system
design. | | |
Implementation | | Understand, and properly implement all checks necessary to ensure the
integrity of certificate trust integrity. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-296 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Failure to follow chain of trust in certificate
validation | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page
347'. Published on 2010.