CWE-298: Improper Validation of Certificate Expiration
Learn about CWE-298 (Improper Validation of Certificate Expiration), its security impact, exploitation methods, and prevention guidelines.
What is Improper Validation of Certificate Expiration?
• Overview: Improper Validation of Certificate Expiration (CWE-298) occurs when a system fails to check or incorrectly checks the expiration date of a digital certificate, resulting in potentially trusting certificates that are no longer valid due to their age.
• Exploitation Methods:
- Attackers can exploit this vulnerability by using expired certificates to impersonate legitimate services or to intercept communications.
- Common attack patterns include man-in-the-middle attacks where attackers present expired certificates to gain unauthorized access to sensitive data.
• Security Impact:
- Direct consequences include loss of confidentiality, integrity, and authenticity of data.
- Potential cascading effects involve unauthorized access to systems and data breaches, leading to further exploitation.
- Business impact may include reputational damage, financial losses, and legal liabilities due to non-compliance with security standards.
• Prevention Guidelines:
- Specific code-level fixes involve implementing strict checks for certificate expiration dates in the authentication process.
- Security best practices include routinely updating and maintaining certificate validation logic and using libraries that automatically handle expiration checks.
- Recommended tools and frameworks include using modern SSL/TLS libraries that support proper certificate validation, such as OpenSSL or Bouncy Castle, and employing automated certificate management solutions.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const https = require('https');
const options = {
hostname: 'example.com',
port: 443,
method: 'GET',
rejectUnauthorized: false // WARNING: Disables certificate validation, including expiration checks
};
const req = https.request(options, (res) => {
// The request proceeds without verifying the certificate's expiration status
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(`Problem with request: \${e.message}`);
});
req.end();
How to fix Improper Validation of Certificate Expiration?
In Node.js, ensure that the rejectUnauthorized option is set to true. This setting enforces the validation of the server's SSL/TLS certificate, including expiration checks. By default, Node.js checks certificates against a list of trusted Certificate Authorities (CAs) and verifies their validity. This change helps prevent man-in-the-middle attacks by ensuring that expired or otherwise invalid certificates are not accepted.
Fixed Code Example
const https = require('https');
const options = {
hostname: 'example.com',
port: 443,
method: 'GET',
rejectUnauthorized: true // Enforces verification of the server's certificate, including expiration
};
const req = https.request(options, (res) => {
// The request now verifies the certificate, ensuring it hasn't expired
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(`Problem with request: \${e.message}`);
});
req.end();
In these examples, the critical change is enabling certificate verification by setting rejectUnauthorized to true. This ensures that the SSL/TLS certificate is checked for expiration and other validity criteria, thereby mitigating the risk of man-in-the-middle attacks that exploit expired or otherwise invalid certificates.