CWE 298

Improper Validation of Certificate Expiration

Weakness ID: 298 (Weakness Base)

Status: Draft

Description

Description Summary

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Extended Description

When the expiration of a certificate is not taken into account no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

Time of Introduction

Architecture and Design

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Integrity	The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
Authentication	Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks.

Likelihood of Exploit

Low

Demonstrative Examples

Example 1

(Bad Code)

Example Languages: C and C++

if (!(cert = SSL_get_peer(certificate(ssl)) || !host) foo=SSL_get_verify_result(ssl);

if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) //do stuff

Potential Mitigations

Phase: Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	295	Certificate Issues	Development Concepts (primary)699
ChildOf	Weakness Base	672	Operation on a Resource after Expiration or Release	Research Concepts (primary)1000
ChildOf	Category	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Weakness Class	754	Improper Check for Unusual or Exceptional Conditions	Research Concepts1000
PeerOf	Weakness Base	296	Improper Following of Chain of Trust for Certificate Validation	Research Concepts1000
PeerOf	Weakness Base	297	Improper Validation of Host-specific Certificate Data	Research Concepts1000
PeerOf	Weakness Base	299	Improper Check for Certificate Revocation	Research Concepts1000
PeerOf	Weakness Base	322	Key Exchange without Entity Authentication	Research Concepts1000
PeerOf	Weakness Base	324	Use of a Key Past its Expiration Date	Research Concepts1000
PeerOf	Weakness Base	370	Missing Check for Certificate Revocation after Initial Check	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Failure to validate certificate expiration

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Description, Name, Relationships
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Demonstrative Examples
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Demonstrative Examples
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Description, Other Notes
Previous Entry Names
Change Date	Previous Entry Name
2009-03-10	Failure to Validate Certificate Expiration

CWE 298

COMPANY

STANDARDS

RECENT POSTS

MENU