Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-345:Insufficient Verification of Data Authenticity
Weakness ID:345
Version:v4.17
Weakness Name:Insufficient Verification of Data Authenticity
Vulnerability Mapping:Discouraged
Abstraction:Class
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP693Protection Mechanism Failure
ParentOfAllowedB1293Missing Source Correlation of Multiple Independent Data
ParentOfAllowedB1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
ParentOfDiscouragedC20Improper Input Validation
ParentOfAllowed-with-ReviewC346Origin Validation Error
ParentOfAllowedB347Improper Verification of Cryptographic Signature
ParentOfAllowedB348Use of Less Trusted Source
ParentOfAllowedB349Acceptance of Extraneous Untrusted Data With Trusted Data
ParentOfAllowedB351Insufficient Type Distinction
ParentOfAllowedC352Cross-Site Request Forgery (CSRF)
ParentOfAllowedB353Missing Support for Integrity Check
ParentOfAllowedB354Improper Validation of Integrity Check Value
ParentOfAllowedB358Improperly Implemented Security Check for Standard
ParentOfAllowedB360Trust of System Event Data
ParentOfAllowedB494Download of Code Without Integrity Check
ParentOfAllowedV616Incomplete Identification of Uploaded File Variables (PHP)
ParentOfAllowedV646Reliance on File Name or Extension of Externally-Supplied File
ParentOfAllowedB649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
ParentOfAllowedB708Incorrect Ownership Assignment
ParentOfAllowedB924Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 693
Name: Protection Mechanism Failure
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1293
Name: Missing Source Correlation of Multiple Independent Data
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1304
Name: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Nature: ParentOf
Mapping: Discouraged
Type: Class
ID: 20
Name: Improper Input Validation
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 346
Name: Origin Validation Error
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 347
Name: Improper Verification of Cryptographic Signature
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 348
Name: Use of Less Trusted Source
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 349
Name: Acceptance of Extraneous Untrusted Data With Trusted Data
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 351
Name: Insufficient Type Distinction
Nature: ParentOf
Mapping: Allowed
Type: Compound
ID: 352
Name: Cross-Site Request Forgery (CSRF)
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 353
Name: Missing Support for Integrity Check
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 354
Name: Improper Validation of Integrity Check Value
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 358
Name: Improperly Implemented Security Check for Standard
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 360
Name: Trust of System Event Data
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 494
Name: Download of Code Without Integrity Check
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 616
Name: Incomplete Identification of Uploaded File Variables (PHP)
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 646
Name: Reliance on File Name or Extension of Externally-Supplied File
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 649
Name: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 708
Name: Incorrect Ownership Assignment
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 924
Name: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
MemberOfProhibitedC949SFP Secondary Cluster: Faulty Endpoint Authentication
MemberOfProhibitedV1003Weaknesses for Simplified Mapping of Published Vulnerabilities
MemberOfProhibitedC1014Identify Actors
MemberOfProhibitedC1354OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
MemberOfProhibitedC1411Comprehensive Categorization: Insufficient Verification of Data Authenticity
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 724
Name: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 949
Name: SFP Secondary Cluster: Faulty Endpoint Authentication
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1003
Name: Weaknesses for Simplified Mapping of Published Vulnerabilities
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1014
Name: Identify Actors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1354
Name: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1411
Name: Comprehensive Categorization: Insufficient Verification of Data Authenticity
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-305ICS/OT (technology class) Weaknesses
MemberOfProhibitedBSBOSS-315Unexpected State (impact)
MemberOfProhibitedBSBOSS-326Varies by Context (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-305
Name: ICS/OT (technology class) Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-315
Name: Unexpected State (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-326
Name: Varies by Context (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1014Identify Actors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1014
Name: Identify Actors
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1354OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1354
Name: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC949SFP Secondary Cluster: Faulty Endpoint Authentication
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 949
Name: SFP Secondary Cluster: Faulty Endpoint Authentication
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityOtherN/AVaries by ContextUnexpected State
N/A
Scope: Integrity, Other
Likelihood: N/A
Impact: Varies by Context, Unexpected State
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
Technology
Class: ICS/OT(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Language: ( code)
N/A

Language: ( code)
N/A

Multiple vendors did not sign firmware images.

▼Observed Examples
ReferenceDescription
CVE-2022-30260
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE-2022-30267
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE-2022-30272
Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums
Reference: CVE-2022-30260
Description:
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
Reference: CVE-2022-30267
Description:
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
Reference: CVE-2022-30272
Description:
Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Discouraged
      Reason:Abstraction
      Rationale:

      This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate

      Comments:

      Examine children of this entry to see if there is a better fit

      Suggestions:
      ▼Notes
      Relationship

      "origin validation" could fall under this.

      N/A

      Maintenance

      The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AInsufficient Verification of Data
      OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
      WASC12N/AContent Spoofing
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Insufficient Verification of Data
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A3
      Fit: CWE More Specific
      Entry Name: Broken Authentication and Session Management
      Taxonomy Name: WASC
      Entry ID: 12
      Fit: N/A
      Entry Name: Content Spoofing
      ▼Related Attack Patterns
      IDName
      CAPEC-111
      JSON Hijacking (aka JavaScript Hijacking)
      CAPEC-141
      Cache Poisoning
      CAPEC-142
      DNS Cache Poisoning
      CAPEC-148
      Content Spoofing
      CAPEC-218
      Spoofing of UDDI/ebXML Messages
      CAPEC-384
      Application API Message Manipulation via Man-in-the-Middle
      CAPEC-385
      Transaction or Event Tampering via Application API Manipulation
      CAPEC-386
      Application API Navigation Remapping
      CAPEC-387
      Navigation Remapping To Propagate Malicious Content
      CAPEC-388
      Application API Button Hijacking
      CAPEC-665
      Exploitation of Thunderbolt Protection Flaws
      CAPEC-701
      Browser in the Middle (BiTM)
      ID: CAPEC-111
      Name: JSON Hijacking (aka JavaScript Hijacking)
      ID: CAPEC-141
      Name: Cache Poisoning
      ID: CAPEC-142
      Name: DNS Cache Poisoning
      ID: CAPEC-148
      Name: Content Spoofing
      ID: CAPEC-218
      Name: Spoofing of UDDI/ebXML Messages
      ID: CAPEC-384
      Name: Application API Message Manipulation via Man-in-the-Middle
      ID: CAPEC-385
      Name: Transaction or Event Tampering via Application API Manipulation
      ID: CAPEC-386
      Name: Application API Navigation Remapping
      ID: CAPEC-387
      Name: Navigation Remapping To Propagate Malicious Content
      ID: CAPEC-388
      Name: Application API Button Hijacking
      ID: CAPEC-665
      Name: Exploitation of Thunderbolt Protection Flaws
      ID: CAPEC-701
      Name: Browser in the Middle (BiTM)
      ▼References
      Reference ID: REF-44
      Title: 24 Deadly Sins of Software Security
      Author: Michael Howard, David LeBlanc, John Viega
      Section: "Sin 15: Not Updating Easily." Page 231
      Publication:
      McGraw-Hill
      Publisher:
      Edition:
      URL:
      URL Date:
      Day:N/A
      Month:N/A
      Year:2010
      Reference ID: REF-1283
      Title: OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
      Author: Forescout Vedere Labs
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://www.forescout.com/resources/ot-icefall-report/
      URL Date:
      Day:20
      Month:06
      Year:2022
      Details not found