Download of Code Without Integrity Check

Draft Base

Structure: Simple

Description

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Extended Description

An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

Common Consequences 1

Scope: IntegrityAvailabilityConfidentialityOther

Impact: Execute Unauthorized Code or CommandsAlter Execution LogicOther

Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.

Detection Methods 3

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.

Black Box

Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 5

Phase: Implementation

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

Phase: Architecture and DesignOperation

Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. - When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain Improper Certificate Validation, Key Management Errors, Improper Verification of Cryptographic Signature, and related weaknesses. - Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].

Phase: Architecture and DesignOperation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and DesignOperation

Strategy: Sandbox or Jail

Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid Creation of chroot Jail Without Changing Working Directory and other weaknesses related to jails.

Effectiveness: Limited

Demonstrative Examples 2

This example loads an external class from a local subdirectory.

Code Example:Bad
Java
java

This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.

ID : DX-219

This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.

Code Example:

Bad

PHP

//assume the password is already encrypted, avoiding CWE-312*

php

php

This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account.

This example is also vulnerable to an Adversary-in-the-Middle AITM (Channel Accessible by Non-Endpoint) attack.

Observed Examples 6

CVE-2019-9534Satellite phone does not validate its firmware image.

CVE-2021-22909Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (Improper Certificate Validation), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (Download of Code Without Integrity Check).

CVE-2008-3438OS does not verify authenticity of its own updates.

CVE-2008-3324online poker client does not verify authenticity of its own updates.

CVE-2001-1125anti-virus product does not verify automatic updates for itself.

CVE-2002-0671VOIP phone downloads applications from web sites without verifying integrity.

References 9

Introduction to Code Signing

Microsoft

http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx

ID: REF-454

Authenticode

Microsoft

http://msdn.microsoft.com/en-us/library/ms537359(v=VS.85).aspx

ID: REF-455

Code Signing Guide

Apple

Apple Developer Connection

19-11-2008

https://web.archive.org/web/20080724215143/http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html(2023-04-07)

ID: REF-456

Secure Software Updates: Disappointments and New Challenges

Anthony Bellissimo, John Burgess, and Kevin Fu

https://www.usenix.org/legacy/events/hotsec06/tech/full_papers/bellissimo/bellissimo.pdf(2025-07-24)

ID: REF-457

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Top 25 Series - Rank 20 - Download of Code Without Integrity Check

Johannes Ullrich

SANS Software Security Institute

05-04-2010

https://www.sans.org/blog/top-25-series-rank-20-download-of-code-without-integrity-check/(2023-04-07)

ID: REF-459

Least Privilege

Sean Barnum and Michael Gegick

14-09-2005

https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege(2023-04-07)

ID: REF-76

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

D3FEND: D3-TL Trusted Library

D3FEND

https://d3fend.mitre.org/technique/d3f:TrustedLibrary/(2025-09-06)

ID: REF-1482

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Insufficient Verification of Data Authenticity (CWE-345)

ChildOf:

Incorrect Resource Transfer Between Spheres (CWE-669)

ChildOf:

Incorrect Resource Transfer Between Spheres (CWE-669)

Taxonomy Mapping

CLASP
The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns

Notes

Research GapThis is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.