Vulnerabilities / Certificate without revocation information

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity
Low
CWE Name
Certificate without revocation information
CWE ID
CWE-16
CVSS Score
7.4
Compliance
OWASP TOP10 -> A2
PCI-DSS -> 4.1, 6.5.4
ISO27001 -> A.5.14, A.8.9, A.8.24
Certificate without revocation information

A certificate without revocation information cannot be revoked by its owner in case its private key is compromised. Browsers consult the Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) endpoints that should be present in the certificate, in order to validate it. This means that browsers will not warn the user if they visit a site that is using a malicious certificate, for instance in a Man-in-the-Middle attack. For an attacker to take advantage of this vulnerability it must first obtain the private key and be able to monitor the victim traffic, something that is normally hard to achieve.

How to fix

  • This vulnerability can be fixed by including a CRL or OSCP endpoint in specific attributes of the Certificate. Certificates generated by a public Certification Authority (CA) normally don’t have this problem and when they do, it can be fixed by asking them to include the CRL and/or OCSP endpoint.

    For certificates obtained from other sources, such as self-signed or generated by an internal CA, you must configure the software that generates the certificates to include that information. Self-signed certificates normally don’t have revocation information, especially if they are only used for testing purposes.