TID-316: Incorrect Certificate Verification Allows Authentication Bypass

Threat Description

Certificate-based authentication depends on the correct parsing and validation of an X.509 certificate. However, if the certificate is not properly parsed and all fields are not validated, a threat actor could potentially bypass authentication using a fraudulent certificate.

Threat Maturity and Evidence

Known Exploitable Weakness
CVE-2020-0601
“Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The vulnerability is also known under the moniker of CurveBall.”

CVE-2023-41991
“Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.”

CWE

CVE

Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability
“Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.”

Siemens RuggedCom ROX-based Devices Certificate Verification Vulnerability and GnuTLS Certificate Error handling Vulnerability, CVE-2014-0092
“lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.”