CWE-345: Insufficient Verification of Data Authenticity
| Abstraction | Structure | Status |
|---|---|---|
| None | Simple | Draft |
Description
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Related Weaknesses
| Nature | ID | View ID | Name |
|---|---|---|---|
| ChildOf | CWE-693 | 1000 | Protection Mechanism Failure |
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Applicable Platforms
Languages
Class: Not Language-Specific
Technologies
Class: ICS/OT
Common Consequences
| Scope | Impact | Note |
|---|---|---|
| Integrity, Other | Varies by Context, Unexpected State |
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect “sources” (origins of input) with “sinks” (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Observed Examples
- CVE-2022-30260: Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
- CVE-2022-30267: Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
- CVE-2022-30272: Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums