CWE-297: Improper Validation of Certificate with Host Mismatch
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: The data read from the system vouched for by the certificate may not be from the expected system.
影响范围: Authentication Other
技术影响: Other
说明: Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks.
潜在缓解措施
阶段: Architecture and Design
描述: Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
阶段: Implementation
描述: If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.
方法: Black Box
When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.
观察示例
参考: CVE-2012-5810
Mobile banking application does not verify hostname, leading to financial loss.
参考: CVE-2012-5811
Mobile application for printing documents does not verify hostname, allowing attackers to read sensitive documents.
参考: CVE-2012-5807
Software for electronic checking does not verify hostname, leading to financial loss.
参考: CVE-2012-3446
Cloud-support library written in Python uses incorrect regular expression when matching hostname.
参考: CVE-2009-2408
Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites.
参考: CVE-2012-0867
Database program truncates the Common Name during hostname verification, allowing spoofing.
参考: CVE-2010-2074
Incorrect handling of '\0' character (NUL) in hostname verification allows spoofing.
参考: CVE-2009-4565
Mail server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing.
参考: CVE-2009-3767
LDAP server's incorrect handling of '\0' character (NUL) in hostname verification allows spoofing.
参考: CVE-2012-5806
Payment processing module does not verify hostname when connecting to PayPal using PHP fsockopen function.
参考: CVE-2012-2993
Smartphone device does not verify hostname, allowing spoofing of mail services.
参考: CVE-2012-5804
E-commerce module does not verify hostname when connecting to payment site.
参考: CVE-2012-5824
Chat application does not validate hostname, leading to loss of privacy.
参考: CVE-2012-5822
Application uses third-party library that does not validate hostname.
参考: CVE-2012-5819
Cloud storage management application does not validate hostname.
参考: CVE-2012-5817
Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname.
参考: CVE-2012-5784
SOAP platform does not verify the hostname.
参考: CVE-2012-5782
PHP library for payments does not verify the hostname.
参考: CVE-2012-5780
Merchant SDK for payments does not verify the hostname.
参考: CVE-2003-0355
Web browser does not validate Common Name, allowing spoofing of https sites.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Failure to validate host-specific certificate data | - |