Ransomware Roundup – 2022/05/26

Read Time:4 Minute, 57 Second

FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.

Read More

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

    Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java web applications. However, like any web server, it is also vulnerable to various security threats. In this article, we’ll explore some of the most dangerous vulnerabilities in Tomcat and provide tips on how to protect…

  • ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

    Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access to systems. One such vulnerability is ZDI-CAN-18333, a critical zero-day vulnerability that affects Microsoft Windows. In this article, we’ll take a closer look at what this vulnerability is, how it works, and what you can…

  • CWE-669 – Incorrect Resource Transfer Between Spheres

    Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security…

  • CWE-67 – Improper Handling of Windows Device Names

    Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. Not properly handling virtual…

  • CWE-670 – Always-Incorrect Control Flow Implementation

    Description The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example,…

  • CWE-671 – Lack of Administrator Control over Security

    Description The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. If the product’s administrator does not…

  • CWE-672 – Operation on a Resource after Expiration or Release

    Description The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-666   Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data If a released resource is subsequently reused or reallocated, then an attempt to…

  • CWE-673 – External Influence of Sphere Definition

    Description The product does not prevent the definition of control spheres from external actors. Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness. Modes of Introduction:…

  • CWE-674 – Uncontrolled Recursion

    Description The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. Modes of Introduction: – Implementation     Related Weaknesses CWE-691   Consequences Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) Resources including CPU, memory, and stack memory could be…

  • CWE-675 – Multiple Operations on Resource in Single-Operation Context

    Description The product performs the same operation on a resource two or more times, when the operation should only be applied once. Modes of Introduction: – Implementation     Related Weaknesses CWE-573 CWE-586 CWE-102   Consequences Other: Other   Potential Mitigations CVE References

  • CWE-676 – Use of Potentially Dangerous Function

    Description The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-1177   Consequences Other: Varies by Context, Quality Degradation, Unexpected State If the function…

  • CWE-680 – Integer Overflow to Buffer Overflow

    Description The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. Modes of Introduction:     Related Weaknesses CWE-190 CWE-119   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…

  • CWE-681 – Incorrect Conversion between Numeric Types

    Description When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. Modes of Introduction: – Implementation   Likelihood of Exploit: High   Related Weaknesses…

  • CWE-682 – Incorrect Calculation

    Description The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can…

  • CWE-683 – Function Call With Incorrect Order of Arguments

    Description The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such…

  • CWE-684 – Incorrect Provision of Specified Functionality

    Description The code does not function according to its published specifications, potentially leading to incorrect usage. When providing functionality to an external party, it is important that the software behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to…

  • CWE-685 – Function Call With Incorrect Number of Arguments

    Description The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations Phase: Testing Description:  Because this function call often…

  • CWE-686 – Function Call With Incorrect Argument Type

    Description The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation…

  • CWE-687 – Function Call With Incorrectly Specified Argument Value

    Description The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations CVE References

  • CWE-688 – Function Call With Incorrect Variable or Reference as Argument

    Description The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-628   Consequences Other: Quality Degradation   Potential Mitigations Phase: Testing Description:  Because this…

  • CWE-689 – Permission Race Condition During Resource Copy

    Description The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. Modes of Introduction: – Implementation     Related Weaknesses CWE-362 CWE-362 CWE-732   Consequences Confidentiality, Integrity: Read Application Data,…

  • CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream

    Description The software does not properly prevent access to, or detect usage of, alternate data streams (ADS). An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately,…

  • CWE-647 – Use of Non-Canonical URL Paths for Authorization Decisions

    Description The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-863   Consequences Access Control: Bypass Protection Mechanism An attacker may…

  • CWE-648 – Incorrect Use of Privileged APIs

    Description The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: Low   Related Weaknesses CWE-269   Consequences Access Control: Gain Privileges…

  • CWE-649 – Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking

    Description The software uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the software does not use integrity checks to detect if those inputs have been modified. When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have…

  • CWE-65 – Windows Hard Link

    Description The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for hard…

  • CWE-650 – Trusting HTTP Permission Methods on the Server Side

    Description The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. The HTTP GET…

  • CWE-651 – Exposure of WSDL File Containing Sensitive Information

    Description The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-538…

  • CWE-652 – Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)

    Description The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…

  • CWE-653 – Improper Isolation or Compartmentalization

    Description The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users. Modes of Introduction: – Architecture and…

  • CWE-654 – Reliance on a Single Factor in a Security Decision

    Description A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-693  …

  • CWE-655 – Insufficient Psychological Acceptability

    Description The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-693   Consequences Access Control: Bypass Protection Mechanism By bypassing the security mechanism,…

  • CWE-656 – Reliance on Security Through Obscurity

    Description The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. This reliance on “security through obscurity” can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that…

  • CWE-657 – Violation of Secure Design Principles

    Description The product violates well-established principles for secure design. This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-710   Consequences Other:…

  • CWE-66 – Improper Handling of File Names that Identify Virtual Resources

    Description The product does not handle or incorrectly handles a file name that identifies a “virtual” resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. Virtual file names are represented like normal file…

  • CWE-662 – Improper Synchronization

    Description The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. Modes of Introduction: – Architecture and Design…

  • CWE-663 – Use of a Non-reentrant Function in a Concurrent Context

    Description The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-662   Consequences Integrity, Confidentiality, Other: Modify Memory,…

  • CWE-664 – Improper Control of a Resource Through its Lifetime

    Description The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. Modes of Introduction: – Implementation     Related Weaknesses   Consequences Other: Other   Potential Mitigations Phase: Testing Description:  Use Static analysis tools to check for unreleased resources. CVE References

  • CWE-665 – Improper Initialization

    Description The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated…

  • CWE-666 – Operation on Resource in Wrong Phase of Lifetime

    Description The software performs an operation on a resource at the wrong phase of the resource’s lifecycle, which can lead to unexpected behaviors. When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource…

  • CWE-667 – Improper Locking

    Description The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-662 CWE-662 CWE-662 CWE-662   Consequences Availability: DoS: Resource Consumption (CPU) Inconsistent locking discipline can lead to deadlock.   Potential Mitigations Phase:…

  • CWE-668 – Exposure of Resource to Wrong Sphere

    Description The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Confidentiality, Integrity, Other: Read Application Data, Modify Application Data, Other   Potential Mitigations CVE References

  • CWE-621 – Variable Extraction Error

    Description The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. Modes of Introduction: – Implementation     Related Weaknesses CWE-914 CWE-471   Consequences Integrity: Modify Application Data An…

  • CWE-622 – Improper Validation of Function Hook Arguments

    Description The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to…

  • CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting

    Description An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior. Modes of Introduction: – Architecture and Design     Related Weaknesses…

  • CWE-624 – Executable Regular Expression Error

    Description The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later…

  • CWE-625 – Permissive Regular Expression

    Description The product uses a regular expression that does not sufficiently restrict the set of allowed values. Modes of Introduction: – Implementation     Related Weaknesses CWE-185 CWE-187 CWE-184 CWE-183   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description:  When applicable, ensure that the regular expression marks beginning and ending string…

  • CWE-626 – Null Byte Interaction Error (Poison Null Byte)

    Description The product does not properly handle null bytes or NUL characters when passing data between different representations or components. Modes of Introduction: – Implementation     Related Weaknesses CWE-147 CWE-436   Consequences Integrity: Unexpected State   Potential Mitigations Phase: Implementation Description:  Remove null bytes from all incoming strings. CVE References CVE-2005-4155 NUL byte bypasses…

  • CWE-627 – Dynamic Variable Evaluation

    Description In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data…

  • CWE-628 – Function Call with Incorrectly Specified Arguments

    Description The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. Modes of Introduction: – Implementation     Related Weaknesses CWE-573   Consequences Other, Access Control: Quality Degradation, Gain Privileges or Assume Identity This weakness can cause unintended behavior and can lead to…

  • CWE-636 – Not Failing Securely (‘Failing Open’)

    Description When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the…

  • CWE-637 – Unnecessary Complexity in Protection Mechanism (Not Using ‘Economy of Mechanism’)

    Description The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A…

  • CWE-638 – Not Using Complete Mediation

    Description The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity’s rights or privileges change over time. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-657 CWE-862   Consequences Integrity, Confidentiality, Availability, Access Control, Other:…

  • CWE-639 – Authorization Bypass Through User-Controlled Key

    Description The system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-863 CWE-863 CWE-284   Consequences Access Control: Bypass Protection Mechanism Access control checks…

  • CWE-64 – Windows Shortcut Following (.LNK)

    Description The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. The shortcut (file with the .lnk extension) can permit an attacker…

  • CWE-640 – Weak Password Recovery Mechanism for Forgotten Password

    Description The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-287 CWE-287   Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain unauthorized…

  • CWE-641 – Improper Restriction of Names for Files and Other Resources

    Description The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in…

  • CWE-642 – External Control of Critical State Data

    Description The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-668   Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity An attacker could potentially…

  • CWE-643 – Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)

    Description The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…

  • CWE-644 – Improper Neutralization of HTTP Headers for Scripting Syntax

    Description The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. Modes of Introduction: – Architecture and Design   Likelihood of Exploit: High   Related Weaknesses CWE-116   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code…

  • CWE-646 – Reliance on File Name or Extension of Externally-Supplied File

    Description The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. An application might use the file name or extension of…

  • CWE-602 – Client-Side Enforcement of Server-Side Security

    Description The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the…

  • CWE-603 – Use of Client-Side Authentication

    Description A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of…

  • CWE-605 – Multiple Binds to the Same Port

    Description When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY.…

  • CWE-606 – Unchecked Input for Loop Condition

    Description The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. Modes of Introduction: – Implementation     Related Weaknesses CWE-1284 CWE-834   Consequences Availability: DoS: Resource Consumption (CPU)   Potential Mitigations Phase: Implementation Description:  Do not use…

  • CWE-607 – Public Static Final Field References Mutable Object

    Description A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. Modes of Introduction: – Implementation     Related Weaknesses CWE-471   Consequences Integrity: Modify Application Data   Potential Mitigations Phase: Implementation Description:  Protect mutable objects by making them…

  • CWE-608 – Struts: Non-private Field in ActionForm Class

    Description An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. Modes of Introduction: – Implementation     Related Weaknesses CWE-668   Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data   Potential Mitigations Phase: Implementation Description:  Make all fields private. Use getter…

  • CWE-609 – Double-Checked Locking

    Description The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs…

  • CWE-61 – UNIX Symbolic Link (Symlink) Following

    Description The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink)…

  • CWE-610 – Externally Controlled Reference to a Resource in Another Sphere

    Description The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-664   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations CVE References

  • CWE-611 – Improper Restriction of XML External Entity Reference

    Description The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Modes of Introduction: – Implementation     Related Weaknesses CWE-610 CWE-610 CWE-441   Consequences Confidentiality: Read Application Data, Read Files…

  • CWE-612 – Improper Authorization of Index Containing Sensitive Information

    Description The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index’s results are…

  • CWE-613 – Insufficient Session Expiration

    Description According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.” Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-672 CWE-672 CWE-287   Consequences Access Control: Bypass Protection Mechanism   Potential Mitigations Phase: Implementation Description:  Set sessions/credentials expiration…

  • CWE-614 – Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

    Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. Modes of Introduction: – Implementation     Related Weaknesses CWE-311   Consequences Confidentiality: Read Application Data   Potential Mitigations Phase: Implementation Description:  Always set the secure…

  • CWE-615 – Inclusion of Sensitive Information in Source Code Comments

    Description While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application’s structure and files, expose hidden…

  • CWE-616 – Incomplete Identification of Uploaded File Variables (PHP)

    Description The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. These global variables could be overwritten by POST requests, cookies, or other…

  • CWE-617 – Reachable Assertion

    Description The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Modes of Introduction: – Implementation     Related Weaknesses CWE-670 CWE-670   Consequences Availability: DoS: Crash, Exit, or Restart An attacker that can trigger…

  • CWE-618 – Exposed Unsafe ActiveX Method

    Description An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser’s security model (e.g. the zone or domain). ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to…

  • CWE-619 – Dangling Database Cursor (‘Cursor Injection’)

    Description If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor “dangling.” For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor’s role, but SQL injection attacks…

  • CWE-62 – UNIX Hard Link

    Description The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for…

  • CWE-620 – Unverified Password Change

    Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. Modes of Introduction: – Architecture and Design    …

  • CWE-584 – Return Inside Finally Block

    Description The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. Modes of Introduction: – Implementation     Related Weaknesses CWE-705   Consequences Other: Alter Execution Logic   Potential Mitigations Phase: Implementation Description:  Do not use a return statement inside the finally…

  • CWE-585 – Empty Synchronized Block

    Description The software contains an empty synchronized block. An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block. Modes of Introduction: – Implementation  …

  • CWE-586 – Explicit Call to Finalize()

    Description The software makes an explicit call to the finalize() method from outside the finalizer. While the Java Language Specification allows an object’s finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first…

  • CWE-587 – Assignment of a Fixed Address to a Pointer

    Description The software sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-344 CWE-758   Consequences Integrity, Confidentiality, Availability: Execute Unauthorized…

  • CWE-588 – Attempt to Access Child of a Non-structure Pointer

    Description Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. Modes of Introduction: – Architecture and Design     Related Weaknesses CWE-704 CWE-758   Consequences Integrity: Modify Memory Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.…

  • CWE-589 – Call to Non-ubiquitous API

    Description The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. Some functions that offer security features supported by the OS are not available on all versions of the OS in common use.…

  • CWE-59 – Improper Link Resolution Before File Access (‘Link Following’)

    Description The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms. Modes of Introduction: – Implementation   Likelihood…

  • CWE-590 – Free of Memory not on the Heap

    Description The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). When free() is called on an invalid pointer, the program’s memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an…

  • CWE-591 – Sensitive Data Storage in Improperly Locked Memory

    Description The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. On Windows systems the VirtualLock function can lock a…

  • CWE-592 – DEPRECATED: Authentication Bypass Issues

    Description This weakness has been deprecated because it covered redundant concepts already described in CWE-287. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-593 – Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

    Description The software modifies the SSL context after connection creation has begun. If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change. Modes of Introduction: – Architecture and Design     Related…

  • CWE-594 – J2EE Framework: Saving Unserializable Objects to Disk

    Description When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk…

  • CWE-595 – Comparison of Object References Instead of Object Contents

    Description The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings’…

  • CWE-596 – DEPRECATED: Incorrect Semantic Object Comparison

    Description This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023. Modes of Introduction:     Related Weaknesses   Consequences   Potential Mitigations CVE References

  • CWE-597 – Use of Wrong Operator in String Comparison

    Description The product uses the wrong operator when comparing a string, such as using “==” when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references…

  • CWE-598 – Use of GET Request Method With Sensitive Query Strings

    Description The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. The query string for the URL could be saved in the browser’s history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If…

  • CWE-599 – Missing Validation of OpenSSL Certificate

    Description The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if…

  • CWE-6 – J2EE Misconfiguration: Insufficient Session-ID Length

    Description The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user’s session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess…

USN-5450-1: Subversion vulnerabilities

Read Time:21 Second

Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)

Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)

Read More