{"@ID": "297", "@Name": "Improper Validation of Certificate with Host Mismatch", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "@Diagram": "/data/images/CWE-297-Diagram.png", "Description": "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.", "Extended_Description": {"xhtml:p": ["Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. In order to ensure data integrity, the certificate must be valid, and it must pertain to the site that is being accessed.", "Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name."]}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "923", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "295", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Mobile", "@Prevalence": "Undetermined"}, {"@Class": "Web Based", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation", "Note": "When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate, such as verifying the hostname, before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete."}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}]}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": [{"Scope": "Access Control", "Impact": "Gain Privileges or Assume Identity", "Note": "The data read from the system vouched for by the certificate may not be from the expected system."}, {"Scope": ["Authentication", "Other"], "Impact": "Other", "Note": "Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks."}, {"Scope": ["Access Control", "Other"], "Impact": ["Gain Privileges or Assume Identity", "Other"], "Note": "If the certificate's host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data, impersonating a trusted host."}]}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}, {"Method": "Dynamic Analysis with Manual Results Interpretation", "Description": "Set up an untrusted endpoint (e.g. a server) with which the product will connect.  Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted."}, {"Method": "Black Box", "Description": "When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955].  This methodology might be extensible to other technologies."}]}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed."}, {"Phase": "Implementation", "Description": "If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-122", "Intro_Text": "The following OpenSSL code obtains a certificate and verifies it.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// do secret things"}}, "#text": "cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) {}"}}, "Body_Text": "Even though the \"verify\" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2012-5810", "Description": "Mobile banking application does not verify hostname, leading to financial loss.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5810"}, {"Reference": "CVE-2012-5811", "Description": "Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5811"}, {"Reference": "CVE-2012-5807", "Description": "Software for electronic checking does not verify hostname, leading to financial loss.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5807"}, {"Reference": "CVE-2012-3446", "Description": "Cloud-support library written in Python uses incorrect regular expression when matching hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-3446"}, {"Reference": "CVE-2009-2408", "Description": "Web browser does not correctly handle '\\0' character (NUL) in Common Name, allowing spoofing of https sites.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-2408"}, {"Reference": "CVE-2012-0867", "Description": "Database program truncates the Common Name during hostname verification, allowing spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-0867"}, {"Reference": "CVE-2010-2074", "Description": "Incorrect handling of '\\0' character (NUL) in hostname verification allows spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2010-2074"}, {"Reference": "CVE-2009-4565", "Description": "Mail server's incorrect handling of '\\0' character (NUL) in hostname verification allows spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-4565"}, {"Reference": "CVE-2009-3767", "Description": "LDAP server's incorrect handling of '\\0' character (NUL) in hostname verification allows spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-3767"}, {"Reference": "CVE-2012-5806", "Description": "Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5806"}, {"Reference": "CVE-2012-2993", "Description": "Smartphone device does not verify hostname, allowing spoofing of mail services.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-2993"}, {"Reference": "CVE-2012-5804", "Description": "E-commerce module does not verify hostname when connecting to payment site.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5804"}, {"Reference": "CVE-2012-5824", "Description": "Chat application does not validate hostname, leading to loss of privacy.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5824"}, {"Reference": "CVE-2012-5822", "Description": "Application uses third-party library that does not validate hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5822"}, {"Reference": "CVE-2012-5819", "Description": "Cloud storage management application does not validate hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5819"}, {"Reference": "CVE-2012-5817", "Description": "Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5817"}, {"Reference": "CVE-2012-5784", "Description": "SOAP platform does not verify the hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5784"}, {"Reference": "CVE-2012-5782", "Description": "PHP library for payments does not verify the hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5782"}, {"Reference": "CVE-2012-5780", "Description": "Merchant SDK for payments does not verify the hostname.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-5780"}, {"Reference": "CVE-2003-0355", "Description": "Web browser does not validate Common Name, allowing spoofing of https sites.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-0355"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "CLASP", "Entry_Name": "Failure to validate host-specific certificate data"}}, "References": {"Reference": [{"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-245"}, {"@External_Reference_ID": "REF-243"}, {"@External_Reference_ID": "REF-249"}, {"@External_Reference_ID": "REF-250"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 23: Improper Use of PKI, Especially SSL.\" Page 347"}, {"@External_Reference_ID": "REF-955"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Description, Name, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Description, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, References, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Modes_of_Introduction, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-01-16", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "Integrated mitigations and detection methods for Certificate Pinning based on feedback from the CWE Researcher List in December 2017."}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-09-19", "Modification_Version": "3.4", "Modification_ReleaseDate": "2019-09-19", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, References, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Common_Consequences, Description, Diagram, Modes_of_Introduction"}], "Previous_Entry_Name": [{"@Date": "2009-03-10", "#text": "Failure to Validate Host-specific Certificate Data"}, {"@Date": "2013-02-21", "#text": "Improper Validation of Host-specific Certificate Data"}]}}
