Improper Validation of Certificate Expiration

Draft Variant

Structure: Simple

Description

This vulnerability occurs when an application fails to properly check if a digital certificate has expired, potentially trusting certificates that are no longer valid due to their age.

Extended Description

Digital certificates have built-in expiration dates for security reasons, similar to how a driver's license needs renewal. When your application doesn't verify this expiration, it might continue to trust certificates that have been abandoned or revoked, creating a false sense of security in your authentication or encryption processes. This oversight completely undermines the certificate's purpose, as you cannot verify whether the certificate holder still has legitimate access. To prevent this, always implement proper date validation against the certificate's 'valid from' and 'valid to' timestamps during every verification routine.

Common Consequences 2

Scope: IntegrityOther

Impact: Other

The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.

Scope: AuthenticationOther

Impact: Other

Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.

Potential Mitigations 2

Phase: Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Phase: Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

Demonstrative Examples 1

ID : DX-123

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

Code Example:

Bad

//do stuff*

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

References 2

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Certificate Validation (CWE-295)

ChildOf:

Operation on a Resource after Expiration or Release (CWE-672)

Taxonomy Mapping

CLASP