CWE-299 Base Rascunho Medium likelihood

Improper Check for Certificate Revocation

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy…

Definição

What is CWE-299?

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate.
Failing to check certificate revocation is a critical security gap, more severe than other certificate errors. When a certificate is revoked, it's almost always because the associated private key has been exposed or the issuing authority no longer trusts it—meaning any system still using that certificate is likely compromised. Legitimate services should never operate with a revoked certificate unless they have a serious configuration or synchronization problem. For developers, this means your application could mistakenly trust a malicious actor impersonating a legitimate server. To prevent this, always implement and test proper revocation checking mechanisms like CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) in your TLS/SSL handshake logic, and ensure these checks cannot be bypassed by network errors or performance shortcuts.
Impacto no mundo real

Real-world CVEs caused by CWE-299

  • CVE-2011-2014

    LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate.

  • CVE-2011-0199

    Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.

  • CVE-2010-5185

    Antivirus product does not check whether certificates from signed executables have been revoked.

  • CVE-2009-3046

    Web browser does not check if any intermediate certificates are revoked.

  • CVE-2009-0161

    chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate.

  • CVE-2011-2701

    chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate.

  • CVE-2011-0935

    Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked.

  • CVE-2009-1358

    chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate.

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    Identificar um caminho de código que trata input não confiável sem validação.

  2. 2

    Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.

  3. 3

    Entregar o payload através de um pedido normal e observar a reação da aplicação.

  4. 4

    Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.

Exemplo de código vulnerável

Vulnerable C

The following OpenSSL code ensures that there is a certificate before continuing execution.

Vulnerável C 
if (cert = SSL_get_peer_certificate(ssl)) {
```
// got a certificate, do secret things*
Exemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-299

  • Architecture and Design Ensure that certificates are checked for revoked status.
  • Implementation If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.
Sinais de deteção

How to detect CWE-299

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-299 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-299?

This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate.

Qual a gravidade do CWE-299?

A MITRE classifica a probabilidade de exploração como Média — a exploração é realista mas normalmente requer condições específicas.

Que linguagens ou plataformas são afetadas pelo CWE-299?

A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.

Como posso prevenir o CWE-299?

Ensure that certificates are checked for revoked status. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.

Como é que o Plexicus deteta e corrige o CWE-299?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-299 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-299?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/299.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-299

CWE-295 Pai

Improper Certificate Validation

This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the…

CWE-296 Irmão

Improper Following of a Certificate's Chain of Trust

This vulnerability occurs when software fails to properly validate the entire certificate chain back to a trusted root authority. This…

CWE-297 Irmão

Improper Validation of Certificate with Host Mismatch

This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to…

CWE-298 Irmão

Improper Validation of Certificate Expiration

This vulnerability occurs when an application fails to properly check if a digital certificate has expired, potentially trusting…

CWE-599 Irmão

Missing Validation of OpenSSL Certificate

This vulnerability occurs when an application uses OpenSSL but fails to properly verify server certificates by not calling…

CWE-370 Filho

Missing Check for Certificate Revocation after Initial Check

This vulnerability occurs when software only verifies a certificate's revocation status once, then continues to trust it for subsequent…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo