CWE-347

BaseDraft

View on MITRE

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

338 linked vulnerabilities

2 related weaknesses

Access Control

Integrity

Confidentiality

Gain Privileges or Assume Identity

Modify Application Data

Execute Unauthorized Code or Commands

An attacker could gain access to sensitive data and possibly execute unauthorized code.

Automated Static Analysis

Effectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

CWE-345ChildOf CWE-345ChildOf

Example CVEs (4)

CVE-2002-1796

Does not properly verify signatures for "trusted" entities.

CVE-2005-2181

Insufficient verification allows spoofing.

CVE-2005-2182

Insufficient verification allows spoofing.

CVE-2002-1706

Accepts a configuration file without a Message Integrity Check (MIC) signature.

External Links

MITRE CWE Database