1. Home
  2. CWE Database
  3. CWE-324
Base · Medium

CWE-324: Use of a Key Past its Expiration Date

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

CWE-324 · Base Level ·1 CVEs ·1 Mitigations

Description

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

Potential Impact

Access Control

Bypass Protection Mechanism, Gain Privileges or Assume Identity

Demonstrative Examples

The following code attempts to verify that a certificate is valid.
Bad
if (cert = SSL_get_peer_certificate(ssl)) {
                        foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))
                              
                                 
                                 //do stuff
                                 
                              
                           
                        
                     }
The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.

Mitigations & Prevention

Architecture and Design

Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

Real-World CVE Examples

CVE IDDescription
CVE-2021-33020Picture Archiving and Communication System (PACS) system for hospitals uses a cryptographic key or password past its expiration date

CWE-672: Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revok...

CWE-298: Improper Validation of Certificate Expiration

A certificate expiration is not validated or is incorrectly validated.

Taxonomy Mappings

  • CLASP: — Using a key past its expiration date

Frequently Asked Questions

What is CWE-324?

CWE-324 (Use of a Key Past its Expiration Date) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

How can CWE-324 be exploited?

Attackers can exploit CWE-324 (Use of a Key Past its Expiration Date) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-324?

Key mitigations include: Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the p

What is the severity of CWE-324?

CWE-324 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.