The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Ensure that proper certificate checking is included in the system design.
Understand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust.
Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source.
Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2016-2402Server allows bypass of certificate pinning by sending a chain of trust that includes a trusted CA that is not pinned.
CVE-2008-4989Verification function trusts certificate chains in which the last certificate is self-signed.
CVE-2012-5821Chain: Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA).
CVE-2009-3046Web browser does not check if any intermediate certificates are revoked.
CVE-2009-0265chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain.