1. Home
  2. CWE Database
  3. CWE-345
Class · High

CWE-345: Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-345 · Class Level ·3 CVEs

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Potential Impact

Integrity, Other

Varies by Context, Unexpected State

Demonstrative Examples

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors did not sign firmware images.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-30260Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE-2022-30267Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE-2022-30272Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums

CWE-693: Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed at...

Taxonomy Mappings

  • PLOVER: — Insufficient Verification of Data
  • OWASP Top Ten 2004: A3 — Broken Authentication and Session Management
  • WASC: 12 — Content Spoofing

Frequently Asked Questions

What is CWE-345?

CWE-345 (Insufficient Verification of Data Authenticity) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

How can CWE-345 be exploited?

Attackers can exploit CWE-345 (Insufficient Verification of Data Authenticity) to varies by context, unexpected state. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-345?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-345?

CWE-345 is classified as a Class-level weakness (High abstraction). It has been observed in 3 real-world CVEs.