Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-354 (完整性检查值验证不恰当) — Vulnerability Class 63

63 vulnerabilities classified as CWE-354 (完整性检查值验证不恰当). AI Chinese analysis included.

CWE-354 represents a critical integrity verification weakness where software fails to properly validate checksums or integrity check values associated with incoming data. This flaw typically allows attackers to exploit the system by intercepting and modifying messages during transmission, effectively bypassing detection mechanisms that should identify corrupted or tampered content. Without rigorous validation, the application may process maliciously altered data, leading to severe consequences such as data corruption, unauthorized access, or system instability. Developers can mitigate this risk by strictly implementing cryptographic hashing algorithms, such as SHA-256, to generate and verify unique integrity signatures for all critical data packets. Ensuring that every received message is authenticated against its expected hash value before processing guarantees data authenticity and prevents the execution of compromised instructions or the acceptance of forged inputs.

MITRE CWE Description
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.
Common Consequences (3)
Integrity, OtherModify Application Data, Other
Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected.
Integrity, OtherOther
Data that is parsed and used may be corrupted.
Non-Repudiation, OtherHide Activities, Other
Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent.
Mitigations (1)
ImplementationEnsure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.
Examples (1)
The following example demonstrates the weakness.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); }
Bad · C
while(true) { DatagramPacket packet = new DatagramPacket(data,data.length,IPAddress, port); socket.send(sendPacket); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2019-10155 Libreswan 输入验证错误漏洞 — libreswan 4.2 -2019-06-12
CVE-2017-3224 Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency in affected Quagga and downstream implementations (SUSE, openSUSE, and Red Hat packages) — Protocol 6.9 -2018-07-24
CVE-2018-5441 PHOENIX CONTACT mGuard 安全漏洞 — PHOENIX CONTACT mGuard 8.1 -2018-01-30

Vulnerabilities classified as CWE-354 (完整性检查值验证不恰当) represent 63 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.