CWE-599: Missing Validation of OpenSSL Certificate

VariantIncomplete

The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

View on MITRE
Back to CWE Lookup

Extended Description

This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-599: Missing Validation of OpenSSL Certificate?+

CWE-599: Missing Validation of OpenSSL Certificate is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.

What are the security consequences of Missing Validation of OpenSSL Certificate?+

If exploited, CWE-599 (Missing Validation of OpenSSL Certificate) it can compromise Confidentiality and Access Control, leading to outcomes such as Read Application Data, Bypass Protection Mechanism and Gain Privileges or Assume Identity.

How do you prevent or mitigate Missing Validation of OpenSSL Certificate?+

Recommended mitigations for CWE-599 include: Ensure that proper authentication is included in the system design. Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-599 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More