Read Time:2 Minute, 15 Second
Description
The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
CWE-923
CWE-295
Consequences
Access Control: Gain Privileges or Assume Identity
The data read from the system vouched for by the certificate may not be from the expected system.
Authentication, Other: Other
Trust afforded to the system in question – based on the malicious certificate – may allow for spoofing or redirection attacks.
Potential Mitigations
Phase: Architecture and Design
Description:
Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
Phase: Implementation
Description:
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
CVE References
- CVE-2012-5810
- Mobile banking application does not verify hostname, leading to financial loss.
- CVE-2012-5811
- Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents.
- CVE-2012-5807
- Software for electronic checking does not verify hostname, leading to financial loss.
- CVE-2012-3446
- Cloud-support library written in Python uses incorrect regular expression when matching hostname.
- CVE-2009-2408
- Web browser does not correctly handle ‘�’ character (NUL) in Common Name, allowing spoofing of https sites.
- CVE-2012-0867
- Database program truncates the Common Name during hostname verification, allowing spoofing.
- CVE-2010-2074
- Incorrect handling of ‘�’ character (NUL) in hostname verification allows spoofing.
- CVE-2009-4565
- Mail server’s incorrect handling of ‘�’ character (NUL) in hostname verification allows spoofing.
- CVE-2009-3767
- LDAP server’s incorrect handling of ‘�’ character (NUL) in hostname verification allows spoofing.
- CVE-2012-5806
- Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function.
- CVE-2012-2993
- Smartphone device does not verify hostname, allowing spoofing of mail services.
- CVE-2012-5804
- E-commerce module does not verify hostname when connecting to payment site.
- CVE-2012-5824
- Chat application does not validate hostname, leading to loss of privacy.
- CVE-2012-5822
- Application uses third-party library that does not validate hostname.
- CVE-2012-5819
- Cloud storage management application does not validate hostname.
- CVE-2012-5817
- Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname.
- CVE-2012-5782
- PHP library for payments does not verify the hostname.
- CVE-2012-5780
- Merchant SDK for payments does not verify the hostname.
- CVE-2003-0355
- Web browser does not validate Common Name, allowing spoofing of https sites.
