Tag Archives: Improper Validation of Certificate Expiration

CWE-298 – Improper Validation of Certificate Expiration

Read Time:54 Second

Description

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-295
CWE-672

 

Consequences

Integrity, Other: Other

The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.

Authentication, Other: Other

Trust afforded to the system in question – based on the expired certificate – may allow for spoofing attacks.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Phase: Implementation

Description: 

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

CVE References