CWE-298 证书过期验证不恰当

admin 2022年1月5日21:06:32CWE(弱点枚举)评论16 views1792字阅读5分58秒阅读模式

CWE-298 证书过期验证不恰当

Improper Validation of Certificate Expiration

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Low

基本描述

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

扩展描述

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Integrity', 'Other'] Other The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
['Authentication', 'Other'] Other Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.

可能的缓解方案

Architecture and Design

策略:

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Implementation

策略:

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

示例代码

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

bad C

if (cert = SSL_get_peer(certificate(ssl)) {

foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))


//do stuff

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Failure to validate certificate expiration

引用

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日21:06:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-298 证书过期验证不恰当 http://cn-sec.com/archives/612788.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: