Improper Validation of Integrity Check Value |
Weakness ID: 354 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
: The failure to validate checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Failure to verify the calculated checksum and the received checksum can lead to far greater consequences.
Scope | Effect |
---|---|
Authentication | Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected. |
Integrity | Data that is parsed and used may be corrupted. |
Non-Repudiation | Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent. |
Example 1
Phase: Implementation Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Weakness Class | 754 | Improper Check for Unusual or Exceptional Conditions | Research Concepts1000 |
PeerOf | Weakness Base | 353 | Failure to Add Integrity Check Value | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Failure to check integrity check value |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
75 | Manipulating Writeable Configuration Files |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Description, Name, Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-03-10 | Failure to Check Integrity Check Value | |||