Corgea LogoCorgea Security Hub

CWE-370: Missing Check for Certificate Revocation after Initial Check

Learn about CWE-370 (Missing Check for Certificate Revocation after Initial Check), its security impact, exploitation methods, and prevention guidelines.

What is Missing Check for Certificate Revocation after Initial Check?

• Overview: Missing Check for Certificate Revocation after Initial Check, CWE-370, is a vulnerability where a system fails to verify if a digital certificate has been revoked after an initial check. This can lead to privileged operations being executed even if the certificate has been invalidated later on.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by continuing to use a compromised, revoked certificate to gain unauthorized access or perform privileged actions.
  • Common attack patterns include man-in-the-middle attacks, where an attacker intercepts communications, or impersonation attacks, where an attacker poses as a legitimate user or service.

• Security Impact:

  • Direct consequences include unauthorized access and execution of privileged actions by revoked certificate holders.
  • Potential cascading effects involve the compromise of system integrity and confidentiality, leading to further unauthorized access or data breaches.
  • Business impact can include loss of customer trust, legal liabilities, and financial losses due to compromised sensitive information or system downtime.

• Prevention Guidelines:

  • Specific code-level fixes include implementing checks for certificate revocation status before each privileged action, not just at initial authentication.
  • Security best practices involve using Protocols such as Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to verify the status of a certificate in real-time.
  • Recommended tools and frameworks include libraries that support automated revocation checks and updates, such as those provided by OpenSSL or other modern cryptographic libraries.

Corgea can automatically detect and fix Missing Check for Certificate Revocation after Initial Check in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Certainly! Let's improve the code examples to ensure clarity, correctness, and adherence to best practices.

import ssl
import socket

def verify_certificate(host):
    # Establish a connection without checking for certificate revocation
    context = ssl.create_default_context()
    conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname=host)
    conn.connect((host, 443))
    
    # Initial check for certificate validity
    cert = conn.getpeercert()
    # Assume some initial check logic here
    print("Certificate is initially valid.")

    # Missing: Subsequent checks for certificate revocation.
    # The certificate could be revoked after this initial check,
    # but this code does not re-check its status, leading to a security vulnerability.
    return cert

Explanation:

  • Lines 6-7: The code establishes an SSL connection but does not enable any form of certificate revocation checking.
  • Lines 11-12: After an initial certificate validity check, the code does not perform any further checks to ensure the certificate hasn't been revoked, which could lead to security vulnerabilities.

How to fix Missing Check for Certificate Revocation after Initial Check?

Fixed Code Example

import ssl
import socket
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.x509.ocsp import OCSPRequestBuilder

def verify_certificate_with_ocsp(host):
    context = ssl.create_default_context()
    conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname=host)
    conn.connect((host, 443))
    
    # Initial certificate retrieval and check
    cert = conn.getpeercert(binary_form=True)
    cert_obj = x509.load_der_x509_certificate(cert, default_backend())
    
    # Check for certificate revocation using OCSP
    issuer_cert = get_issuer_certificate(cert_obj)  # Function to retrieve issuer certificate
    ocsp_request = OCSPRequestBuilder().add_certificate(cert_obj, issuer_cert, cert_obj.signature_hash_algorithm)
    ocsp_request = ocsp_request.build()

    # Assuming an OCSP server URL is available
    aia_extension = cert_obj.extensions.get_extension_for_class(x509.AuthorityInformationAccess)
    ocsp_url = aia_extension.value[0].access_location.value
    
    # Send OCSP request to the server
    response = send_ocsp_request(ocsp_url, ocsp_request)  # Function to send the OCSP request
    
    if response.certificate_status == x509.ocsp.OCSPCertStatus.REVOKED:
        raise ssl.CertificateError("Certificate has been revoked.")
    
    print("Certificate is valid and not revoked.")
    return cert

Explanation:

  • Lines 14-16: The code retrieves the certificate and its issuer, constructs an OCSP request to verify revocation status.
  • Lines 20-23: The code retrieves the OCSP URL from the certificate, sends the OCSP request, and checks the response.
  • Lines 25-26: If the certificate is found to be revoked, an exception is raised to prevent further operations, ensuring the application does not trust a revoked certificate.

Best Practices:

  • OCSP Checking: By implementing OCSP checks, the application can dynamically verify the revocation status of certificates.
  • Error Handling: Raising an exception if the certificate is revoked prevents the application from proceeding with an insecure connection.

These improvements ensure that the code examples clearly demonstrate the vulnerability and the fix, with proper syntax highlighting and detailed explanations.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-370: Missing Check for Certificate Revocation after Initial Check and get remediation guidance

Start for free and no credit card needed.