CWE-298 证书过期验证不恰当

admin 2022年1月5日21:06:32评论136 views字数 1792阅读5分58秒阅读模式

CWE-298 证书过期验证不恰当

Improper Validation of Certificate Expiration

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Low

基本描述

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

扩展描述

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Integrity', 'Other'] Other The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
['Authentication', 'Other'] Other Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.

可能的缓解方案

Architecture and Design

策略:

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Implementation

策略:

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

示例代码

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

bad C

if (cert = SSL_get_peer(certificate(ssl)) {

foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))


//do stuff

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Failure to validate certificate expiration

引用

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日21:06:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-298 证书过期验证不恰当http://cn-sec.com/archives/612788.html

发表评论

匿名网友 填写信息