Live Active security incident? Get immediate response
CWE Reference

CWE-599: Missing Validation of OpenSSL Certificate

Official CWE-599 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessIncomplete
Search CWE CWE Dictionary

Glexia's Take

CWE-599: Missing Validation of OpenSSL Certificate

Missing Validation of OpenSSL Certificate represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Confidentiality: Read Application Data: The data read may not be properly secured - it might be viewed by an attacker.
  • Access Control: Bypass Protection Mechanism,Gain Privileges or Assume Identity: Trust afforded to the system in question may allow for spoofing or redirection attacks.
  • Access Control: Gain Privileges or Assume Identity: If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.

Developer Pattern

CWE-599 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-599, 4.20.

Official CWE Definition

CWE-599: Missing Validation of OpenSSL Certificate

The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

Type
weakness
Abstraction
Variant
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following OpenSSL code ensures that the host has a certificate. Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.

Remediation

  • Architecture and Design: Ensure that proper authentication is included in the system design.
  • Implementation: Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.