Improper Validation of Certificate Expiration |
Weakness ID: 298 (Weakness Base) | Status: Draft |
Description Summary
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
Extended Description
When the expiration of a certificate is not taken into account no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
Scope | Effect |
---|---|
Integrity | The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing. |
Authentication | Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks. |
Example 1
(Bad Code)
Example Languages: C and C++
if (!(cert = SSL_get_peer(certificate(ssl)) || !host) foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) //do stuff
Phase: Architecture and Design Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 295 | Certificate Issues | Development Concepts (primary)699 |
ChildOf | Weakness Base | 672 | Operation on a Resource after Expiration or Release | Research Concepts (primary)1000 |
ChildOf | Category | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Weakness Class | 754 | Improper Check for Unusual or Exceptional Conditions | Research Concepts1000 |
PeerOf | Weakness Base | 296 | Improper Following of Chain of Trust for Certificate Validation | Research Concepts1000 |
PeerOf | Weakness Base | 297 | Improper Validation of Host-specific Certificate Data | Research Concepts1000 |
PeerOf | Weakness Base | 299 | Improper Check for Certificate Revocation | Research Concepts1000 |
PeerOf | Weakness Base | 322 | Key Exchange without Entity Authentication | Research Concepts1000 |
PeerOf | Weakness Base | 324 | Use of a Key Past its Expiration Date | Research Concepts1000 |
PeerOf | Weakness Base | 370 | Missing Check for Certificate Revocation after Initial Check | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Failure to validate certificate expiration |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Description, Name, Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-03-10 | Failure to Validate Certificate Expiration | |||