CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE-668 – Exposure of Resource to Wrong Sphere

Read Time:15 Second

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity, Other: Read Application Data, Modify Application Data, Other

 

Potential Mitigations

CVE References

CWE-667 – Improper Locking

Read Time:2 Minute, 23 Second

Description

The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-662
CWE-662
CWE-662
CWE-662

 

Consequences

Availability: DoS: Resource Consumption (CPU)

Inconsistent locking discipline can lead to deadlock.

 

Potential Mitigations

Phase: Implementation

Description: 

Use industry standard APIs to implement locking mechanism.

CVE References

  • CVE-2009-0935
    • Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
  • CVE-2010-4210
    • function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
  • CVE-2008-4302
    • Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
  • CVE-2009-1243
    • OS kernel performs an unlock in some incorrect circumstances, leading to panic.
  • CVE-2009-4272
    • deadlock triggered by packets that force collisions in a routing table
  • CVE-2002-1850
    • read/write deadlock between web server and script
  • CVE-2004-0174
    • web server deadlock involving multiple listening connections
  • CVE-2009-1388
    • multiple simultaneous calls to the same function trigger deadlock.
  • CVE-2006-5158
    • chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
  • CVE-2006-4342
    • deadlock when an operation is performed on a resource while it is being removed.
  • CVE-2006-2374
    • Deadlock in device driver triggered by using file handle of a related device.
  • CVE-2006-2275
    • Deadlock when large number of small messages cannot be processed quickly enough.
  • CVE-2005-3847
    • OS kernel has deadlock triggered by a signal during a core dump.
  • CVE-2005-2456
    • Chain: array index error (CWE-129) leads to deadlock (CWE-833)
  • CVE-2001-0682
    • Program can not execute when attacker obtains a mutex.
  • CVE-2002-1914
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-1915
    • Program can not execute when attacker obtains a lock on a critical output file.
  • CVE-2002-0051
    • Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
  • CVE-2000-0338
    • Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
  • CVE-2000-1198
    • Chain: Lock files with predictable names. Resultant from randomness.
  • CVE-2002-1869
    • Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.

CWE-666 – Operation on Resource in Wrong Phase of Lifetime

Read Time:36 Second

Description

The software performs an operation on a resource at the wrong phase of the resource’s lifecycle, which can lead to unexpected behaviors.

When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource is in the expected state. In this case, the software wants to perform a normally valid operation, initialization, use or release, on a resource when it is in the incorrect phase of its lifetime.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Follow the resource’s lifecycle from creation to release.

CVE References

CWE-665 – Improper Initialization

Read Time:3 Minute, 13 Second

Description

The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality: Read Memory, Read Application Data

When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Access Control: Bypass Protection Mechanism

If security-critical decisions rely on a variable having a “0” or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.

Availability: DoS: Crash, Exit, or Restart

The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.

 

Potential Mitigations

Phase: Requirements

Description: 

Phase: Architecture and Design

Description: 

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Phase: Implementation

Description: 

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Phase: Implementation

Description: 

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Phase: Implementation

Description: 

Avoid race conditions (CWE-362) during initialization routines.

Phase: Build and Compilation

Description: 

Run or compile your software with settings that generate warnings about uninitialized variables or data.

Phase: Testing

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

CVE References

  • CVE-2001-1471
    • chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection.
  • CVE-2008-3637
    • Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution.
  • CVE-2008-4197
    • Use of uninitialized memory may allow code execution.
  • CVE-2008-2934
    • Free of an uninitialized pointer leads to crash and possible code execution.
  • CVE-2007-3749
    • OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges.
  • CVE-2008-0063
    • Product does not clear memory contents when generating an error message, leading to information leak.
  • CVE-2008-0062
    • Lack of initialization triggers NULL pointer dereference or double-free.
  • CVE-2008-0081
    • Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2008-3688
    • chain: Uninitialized variable leads to infinite loop.
  • CVE-2008-3475
    • chain: Improper initialization leads to memory corruption.
  • CVE-2008-5021
    • Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory.
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
  • CVE-2008-3597
    • chain: game server can access player data structures before initialization has happened leading to NULL dereference
  • CVE-2009-2692
    • chain: uninitialized function pointers can be dereferenced allowing code execution
  • CVE-2009-0949
    • chain: improper initialization of memory can lead to NULL dereference
  • CVE-2009-3620
    • chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference

CWE-664 – Improper Control of a Resource Through its Lifetime

Read Time:15 Second

Description

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Testing

Description: 

Use Static analysis tools to check for unreleased resources.

CVE References

CWE-663 – Use of a Non-reentrant Function in a Concurrent Context

Read Time:40 Second

Description

The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Memory, Read Memory, Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Description: 

Use reentrant functions if available.

Phase: Implementation

Description: 

Add synchronization to your non-reentrant function.

Phase: Implementation

Description: 

In Java, use the ReentrantLock Class.

CVE References

  • CVE-2001-1349
    • unsafe calls to library functions from signal handler
  • CVE-2004-2259
    • SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.