Race Condition in Checking for Certificate Revocation

From Guidance Share

Jump to: navigation, search

Contents

Description

If the revocation status of a certificate is not checked before each privilege requiring action, the system may be subject to a race condition, in which a certificate may be used before it is checked for revocation.

Applies To

  • Languages: Languages which do not abstract out this part of the process.
  • Operating platforms: All


Example

In the following example the certificate status is checked and then a privileged action is performed. Later another privileged action is performed without again checking certificate status to ensure the certificate has not been revoked:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
foo=SSL_get_veryify_result(ssl);
if (X509_V_OK==foo)
//do stuff
foo=SSL_get_veryify_result(ssl);
//do more stuff without the check. 

Impact

  • Authentication: Trust may be assigned to an entity who is not who it claims to be.
  • Integrity: Data from an untrusted (and possibly malicious) source may be used.
  • Confidentiality: Date may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

Vulnerabilities

  • Failure to check certificate revocation status before each use.

Countermeasures

  • Design: Ensure that certificates are checked for revoked status before each use of a protected resource

Vulnerability Patterns

How Tos

Personal tools