CWE-298: Improper Validation of Certificate Expiration
Learn about CWE-298 (Improper Validation of Certificate Expiration), its security impact, exploitation methods, and prevention guidelines.
What is Improper Validation of Certificate Expiration?
• Overview: Improper Validation of Certificate Expiration (CWE-298) occurs when a system fails to check or incorrectly checks the expiration date of a digital certificate, resulting in potentially trusting certificates that are no longer valid due to their age.
• Exploitation Methods:
- Attackers can exploit this vulnerability by using expired certificates to impersonate legitimate services or to intercept communications.
- Common attack patterns include man-in-the-middle attacks where attackers present expired certificates to gain unauthorized access to sensitive data.
• Security Impact:
- Direct consequences include loss of confidentiality, integrity, and authenticity of data.
- Potential cascading effects involve unauthorized access to systems and data breaches, leading to further exploitation.
- Business impact may include reputational damage, financial losses, and legal liabilities due to non-compliance with security standards.
• Prevention Guidelines:
- Specific code-level fixes involve implementing strict checks for certificate expiration dates in the authentication process.
- Security best practices include routinely updating and maintaining certificate validation logic and using libraries that automatically handle expiration checks.
- Recommended tools and frameworks include using modern SSL/TLS libraries that support proper certificate validation, such as OpenSSL or Bouncy Castle, and employing automated certificate management solutions.
Corgea can automatically detect and fix Improper Validation of Certificate Expiration in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const https = require('https');
const options = {
hostname: 'example.com',
port: 443,
method: 'GET',
rejectUnauthorized: false // WARNING: Disables certificate validation, including expiration checks
};
const req = https.request(options, (res) => {
// The request proceeds without verifying the certificate's expiration status
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(`Problem with request: \${e.message}`);
});
req.end();
How to fix Improper Validation of Certificate Expiration?
In Node.js, ensure that the rejectUnauthorized option is set to true. This setting enforces the validation of the server's SSL/TLS certificate, including expiration checks. By default, Node.js checks certificates against a list of trusted Certificate Authorities (CAs) and verifies their validity. This change helps prevent man-in-the-middle attacks by ensuring that expired or otherwise invalid certificates are not accepted.
Fixed Code Example
const https = require('https');
const options = {
hostname: 'example.com',
port: 443,
method: 'GET',
rejectUnauthorized: true // Enforces verification of the server's certificate, including expiration
};
const req = https.request(options, (res) => {
// The request now verifies the certificate, ensuring it hasn't expired
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(`Problem with request: \${e.message}`);
});
req.end();
In these examples, the critical change is enabling certificate verification by setting rejectUnauthorized to true. This ensures that the SSL/TLS certificate is checked for expiration and other validity criteria, thereby mitigating the risk of man-in-the-middle attacks that exploit expired or otherwise invalid certificates.