[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Validation of Integrity Check Value

ID: 354Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Extended Description

Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.

Likelihood of Exploit: Medium

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Other
 
Modify application data
Other
 
Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected.
 
Integrity
Other
 
Other
 
Data that is parsed and used may be corrupted.
 
Non-Repudiation
Other
 
Hide activities
Other
 
Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.
 
  

Relationships

Related CWETypeViewChain
CWE-354 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CLASP  Failure to check integrity check value
 
 

References:
None

CVE    51
CVE-2012-1170
CVE-2021-1883
CVE-2021-20709
CVE-2021-20184
...

© SecPod Technologies