CWE-696 – Incorrect Behavior Order

Read Time:41 Second

Description

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Integrity: Alter Execution Logic

 

Potential Mitigations

CVE References

 

  • CVE-2019-9805
    • Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
  • CVE-2007-5191
    • file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges
  • CVE-2007-1588
    • C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended

CWE-695 – Use of Low-Level Functionality

Read Time:23 Second

Description

The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate.

The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-573

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

 

CWE-694 – Use of Multiple Resources with Duplicate Identifier

Read Time:50 Second

Description

The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-99
CWE-573

 

Consequences

Access Control: Bypass Protection Mechanism

If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.

Other: Quality Degradation

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.

CVE References

 

  • CVE-2013-4787
    • chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.

CWE-693 – Protection Mechanism Failure

Read Time:37 Second

Description

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

This weakness covers three distinct situations. A “missing” protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An “insufficient” protection mechanism might provide some defenses – for example, against the most common attacks – but it does not protect against everything that is intended. Finally, an “ignored” mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

CVE References

 

CWE-692 – Incomplete Denylist to Cross-Site Scripting

Read Time:36 Second

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet” [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-184
CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

  • CVE-2007-5727
    • Denylist only removes