CWE

Improper Following of Chain of Trust for Certificate Validation

ID: 296		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

The chain of trust is not followed or is incorrectly followed when validating a certificate, resulting in incorrect trust of any resource that is associated with that certificate.

Likelihood of Exploit: Low

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design

Common Consequences

Scope	Technical Impact	Notes
Non-Repudiation	Hide activities	Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source.
Integrity Confidentiality Availability Access_Control	Gain privileges / assume identity Execute unauthorized code or commands	Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Architecture and Design		Ensure that proper certificate checking is included in the system design.
Implementation		Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.

Relationships

Related CWE	Type	View	Chain
CWE-296 ChildOf CWE-898	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Failure to follow chain of trust in certificate validation

References:

1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page 347'. Published on 2010.