CWE-298 证书过期验证不恰当
Improper Validation of Certificate Expiration
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: Low
基本描述
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
扩展描述
When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Other'] | Other | The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing. |
| ['Authentication', 'Other'] | Other | Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks. |
可能的缓解方案
Architecture and Design
策略:
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Implementation
策略:
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
示例代码
例
The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.
bad C
if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))
//do stuff
If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Failure to validate certificate expiration |