Improperly Implemented Security Check for Standard
Weakness ID: 358 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Modes of Introduction

This is an implementation error, in which the algorithm/technique requires certain security-related behaviors or conditions that are not implemented or checked properly, thus causing a vulnerability.

+ Observed Examples
ReferenceDescription
CVE-2002-0862Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2002-0970Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2002-1407Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2005-0198Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).
CVE-2004-2163Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
CVE-2005-2181Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
CVE-2005-2182Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
CVE-2005-2298Security check not applied to all components, allowing bypass.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class573Failure to Follow Specification
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base290Authentication Bypass by Spoofing
Research Concepts1000
CanAlsoBeWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Research Concepts1000
PeerOfWeakness BaseWeakness Base325Missing Required Cryptographic Step
Research Concepts1000
+ Relationship Notes

This is a "missing step" error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERImproperly Implemented Security Check for Standard
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description
2009-10-29CWE Content TeamMITREInternal
updated Modes of Introduction, Observed Examples, Other Notes, Relationship Notes