Improper Validation of Certificate with Host Mismatch [CWE-297]

This weakness describes Improper Validation of Certificate with Host Mismatch.

Created: June 11, 2018
Latest Update: December 28, 2020

Table of Content

1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Mitigations
6. References

Want to have an in-depth understanding of all modern aspects of
Improper Validation of Certificate with Host Mismatch [CWE-297]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

The primary concept of SSL/TLS security is a trust built between the two parties of intercommunication process: the client and the server, where each party has proven its identity. Inability to establish trust relationship due to skipping all necessary verification steps jeopardizes security of entire client-server communication and introduces an opportunity for the attacker to perform a Man-in-the-Middle (MitM) attack. As a result, the attacker is able to decrypt and modify all data, transferred via supposedly encrypted channel.

Improper verification of certificate with host mismatch is a weakness, related to how software treats digital certificate, issued for another domain. E.g. the application is trying to establish secure communication with www.example.com website, however the web server returns a certificated issued for www.example.net domain. This certificated can be valid and signed with a trusted CA, but it still should be rejected by the client application.

This vulnerability is common for mobile applications. Developers often disable certificate verification for testing purposes and do not activate it for production deployment.

Below is an example of code that creates HostnameVerifier and disables hostname verification:

1. final static HostnameVerifier NO_VERIFY = new HostnameVerifier() {
2.     public boolean verify(String hostname, SSLSession session) {
3.         return true;
4.     }
5. };
6. ...
7. HostnameVerifier NO_VERIFY = org.apache.http.conn.ssl.SSLSocketFactory
8.                                                         .ALLOW_ALL_HOSTNAME_VERIFIER;

2. Potential impact

The attacker can perform MitM attack and intercept all communication between your application and the server. Which means that all data transferred via this connection can be decrypted and modified. In case of a banking app, for example, the attacker might be able to gain full access to victim’s banking account.

3. Attack patterns

There are no CAPEC patterns relate to this weakness.

4. Affected software

Any software that acts as SSL/TLS client and handles SSL certificates is a potential subject to this issue. Before deploying the software make sure that your SSL/TLS communication settings are not compromised.

5. Mitigations

To resolve this vulnerability it is enough to turn back on hostname verification. When developing application intended for SSL communication try not to use self-signed or untrusted certificates as it may introduce security-related issues in production version of your application.

6. References

1. CWE-297: Improper Validation of Certificate with Host Mismatch [cwe.mitre.org]
2. Android Network APIs [github.com]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.