CWE-295: Improper Certificate Validation
Learn about CWE-295 (Improper Certificate Validation), its security impact, exploitation methods, and prevention guidelines.
What is Improper Certificate Validation?
• Overview: Improper Certificate Validation (CWE-295) occurs when a software product fails to properly verify the authenticity of a digital certificate, potentially allowing attackers to impersonate legitimate entities.
• Exploitation Methods:
- Attackers can exploit this vulnerability by presenting a fake or invalid certificate to intercept or manipulate data.
- Common attack patterns include Man-in-the-Middle (MitM) attacks where attackers position themselves between the client and server to eavesdrop or alter communications.
• Security Impact:
- Direct consequences include unauthorized access to sensitive data and the ability for attackers to impersonate trusted systems or users.
- Potential cascading effects can involve broader network compromise and further attacks on related systems or data.
- Business impact may involve data breaches, loss of customer trust, legal liabilities, and financial losses.
• Prevention Guidelines:
- Specific code-level fixes include implementing strict certificate validation checks such as checking the certificate chain and expiration dates.
- Security best practices involve using established libraries and APIs for certificate validation and avoiding custom implementations unless absolutely necessary.
- Recommended tools and frameworks include using TLS/SSL libraries with built-in certificate validation, such as OpenSSL, and employing automated security testing tools to identify validation flaws.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Mobile
A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.
Vulnerable Code Example
const https = require('https');
// Vulnerable code: Ignoring certificate validation (DO NOT DO THIS!)
const options = {
hostname: 'example.com',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: false // This disables certificate validation
};
const req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.end();
Explanation:
- The JavaScript code above shows a critical security flaw by setting
rejectUnauthorized: false. This option disables SSL/TLS certificate validation, allowing the application to accept any certificate, including self-signed or expired ones. This makes the application vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker could intercept and potentially alter the communication between the client and server.
How to fix Improper Certificate Validation?
To address this issue, always enforce certificate validation by ensuring rejectUnauthorized is set to true, which is the default behavior. This ensures that the server's certificate is validated against trusted Certificate Authorities (CAs).
Fixed Code Example
const https = require('https');
// Fixed code: Certificate validation is enabled by default
const options = {
hostname: 'example.com',
port: 443,
path: '/',
method: 'GET'
// rejectUnauthorized: true is default, so this line is optional and can be omitted.
};
const req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.end();
Explanation:
- The fixed code ensures the security of the HTTPS request by omitting the
rejectUnauthorizedoption, which defaults totrue. This ensures that the server's certificate is automatically validated against trusted CAs. Additionally, handling errors withreq.on('error', ...)is crucial for robust error handling. Always ensure your Node.js environment is configured with an updated CA bundle to maintain security.
In both examples, the key fix is to enforce certificate validation by using secure defaults or explicitly setting options that verify server certificates against trusted authorities. This prevents attackers from intercepting or tampering with the communication.