Missing Validation of OpenSSL Certificate
This vulnerability occurs when an application uses OpenSSL but fails to properly verify server certificates by not calling SSL_get_verify_result(). Without this validation, the application may accept insecure or fraudulent certificates.
When an application connects to a server using OpenSSL, it must explicitly verify that the server's certificate is valid and trustworthy. Skipping the SSL_get_verify_result() function means the application blindly accepts any certificate presented, missing critical checks for expiration, proper signing by a trusted Certificate Authority (CA), hostname matching, and revocation status. This missing validation creates an open door for attackers to impersonate trusted servers using self-signed, expired, or otherwise invalid certificates. It enables man-in-the-middle (MITM) attacks where encrypted traffic can be intercepted and decrypted, potentially exposing sensitive data like login credentials or API keys that the application transmits.
Impact: Read Application Data
The data read may not be properly secured, it might be viewed by an attacker.
Impact: Bypass Protection MechanismGain Privileges or Assume Identity
Trust afforded to the system in question may allow for spoofing or redirection attacks.
Impact: Gain Privileges or Assume Identity
If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.
ID : DX-125
The following OpenSSL code ensures that the host has a certificate.Code Example:
c// got certificate, host can be trusted*
c