logo

Improperly Implemented Security Check for Standard

Draft Base
Structure: Simple
Description

This vulnerability occurs when software fails to correctly implement one or more critical security checks required by a standard protocol, algorithm, or security technique.

Extended Description

Standards like TLS, OAuth, or cryptographic algorithms define specific security checks—such as certificate validation, timing attack mitigations, or proper error handling—to ensure their overall security. When developers implement these standards but miss, weaken, or incorrectly code these mandatory checks, they inadvertently introduce a security flaw while believing they are compliant. The software appears to follow the standard but contains a hidden weakness that attackers can exploit. This issue is particularly dangerous because it often evades casual review; the code looks correct on the surface. To prevent it, developers must treat the standard's security requirements as a strict checklist, not just a guideline. Security reviews and testing should specifically verify that each mandated check is implemented robustly and cannot be bypassed under any edge case or error condition.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism
Observed Examples 8
CVE-2002-0862Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2002-0970Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2002-1407Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2005-0198Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).
CVE-2004-2163Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
CVE-2005-2181Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
CVE-2005-2182Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
CVE-2005-2298Security check not applied to all components, allowing bypass.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Improper Following of Specification by Caller (CWE-573)
ChildOf: Protection Mechanism Failure (CWE-693)
CanAlsoBe: Insufficient Verification of Data Authenticity (CWE-345)
CanAlsoBe: Authentication Bypass by Spoofing (CWE-290)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipThis is a "missing step" error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.