[Forgot Password]
Login  Register Subscribe

23631

 
 

117687

 
 

98503

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Trust of OpenSSL Certificate Without Validation

ID: 599Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The software uses an OpenSSL Certificate without validating the certificate data.

Extended Description

This could allow an attacker to claim to be a trusted host.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
The data read may not be properly secured, it might be viewed by an attacker.
 
Access_Control
 
Bypass protection mechanism
Gain privileges / assume identity
 
Trust afforded to the system in question may allow for spoofing or redirection attacks.
 
Access_Control
 
Gain privileges / assume identity
 
If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Ensure that proper authentication is included in the system design.
 
  
Implementation
 
 Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.
 
  

Relationships

Related CWETypeViewChain
CWE-599 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© 2013 SecPod Technologies