Trust of OpenSSL Certificate Without Validation| ID: 599 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
The software uses an OpenSSL Certificate without validating the
certificate data.
Extended DescriptionThis could allow an attacker to claim to be a trusted host.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | The data read may not be properly secured, it might be viewed by an
attacker. |
| Access_Control | Bypass protection
mechanismGain privileges / assume
identity | Trust afforded to the system in question may allow for spoofing or
redirection attacks. |
| Access_Control | Gain privileges / assume
identity | If the certificate is not checked, it may be possible for a
redirection or spoofing attack to allow a malicious host with a valid
certificate to provide data under the guise of a trusted host. While the
attacker in question may have a valid certificate, it may simply be a
valid certificate for a different site. In order to ensure data
integrity, we must check that the certificate is valid, and that it
pertains to the site we wish to access. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Ensure that proper authentication is included in the system
design. | | |
| Implementation | | Understand and properly implement all checks necessary to ensure the
identity of entities involved in encrypted communications. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-599 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None
