CWE-353: Missing Support for Integrity Check
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
扩展描述
If integrity check values or "checksums" are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.
常见后果
影响范围: Integrity Other
技术影响: Other
说明: Data that is parsed and used may be corrupted.
影响范围: Non-Repudiation Other
技术影响: Hide Activities Other
说明: Without a checksum it is impossible to determine if any changes have been made to the data after it was sent.
潜在缓解措施
阶段: Architecture and Design
描述: Add an appropriately sized checksum to the protocol, ensuring that data received may be simply validated before it is parsed and used.
阶段: Implementation
描述: Ensure that the checksums present in the protocol design are properly implemented and added to each message before it is sent.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Failure to add integrity check value | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.03.03 RE(1) | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.04.02 RE(1) | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.11.06 RE(2) | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 3.1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SD-1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 3.1 | - |
关键信息
CWE ID: CWE-353
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: Medium