Monthly Archives: May 2022

CWE

CWE-786 – Access of Memory Location Before Start of Buffer

Read Time:1 Minute, 39 Second

Description

The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119

 

Consequences

Confidentiality: Read Memory

For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.

Integrity, Availability: Modify Memory, DoS: Crash, Exit, or Restart

Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash.

Integrity: Modify Memory, Execute Unauthorized Code or Commands

If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy.

 

Potential Mitigations

CVE References

 

  • CVE-2002-2227
    • Unchecked length of SSLv2 challenge value leads to buffer underflow.
  • CVE-2007-4580
    • Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130)
  • CVE-2007-1584
    • Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character.
  • CVE-2007-0886
    • Buffer underflow resultant from encoded data that triggers an integer overflow.
  • CVE-2006-6171
    • Product sets an incorrect buffer size limit, leading to “off-by-two” buffer underflow.
  • CVE-2006-4024
    • Negative value is used in a memcpy() operation, leading to buffer underflow.
  • CVE-2004-2620
    • Buffer underflow due to mishandled special characters
CWE

CWE-785 – Use of Path Manipulation Function without Maximum-sized Buffer

Read Time:58 Second

Description

The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.

Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-676
CWE-120
CWE-20

 

Consequences

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions.

CVE References

 

CWE

CWE-784 – Reliance on Cookies without Validation and Integrity Checking in a Security Decision

Read Time:1 Minute, 47 Second

Description

The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-807
CWE-565

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

It is dangerous to use cookies to set a user’s privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Avoid using cookie data for a security-related decision.

Phase: Implementation

Effectiveness:

Description: 

Perform thorough input validation (i.e.: server side validation) on the cookie data if you’re going to use it for a security related decision.

Phase: Architecture and Design

Effectiveness:

Description: 

Add integrity checks to detect tampering.

Phase: Architecture and Design

Effectiveness:

Description: 

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

CVE References

 

  • CVE-2009-1549
    • Attacker can bypass authentication by setting a cookie to a specific value.
  • CVE-2009-1619
    • Attacker can bypass authentication and gain admin privileges by setting an “admin” cookie to 1.
  • CVE-2009-0864
    • Content management system allows admin privileges by setting a “login” cookie to “OK.”
  • CVE-2008-5784
    • e-dating application allows admin privileges by setting the admin cookie to 1.
  • CVE-2008-6291
    • Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to “admin.”
CWE

CWE-783 – Operator Precedence Logic Error

Read Time:1 Minute, 0 Second

Description

The program uses an expression in which operator precedence causes incorrect logic to be used.

While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-670

 

Consequences

Confidentiality, Integrity, Availability: Varies by Context, Unexpected State

The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Regularly wrap sub-expressions in parentheses, especially in security-critical code.

CVE References

 

  • CVE-2008-2516
    • Authentication module allows authentication bypass because it uses “(x = call(args) == SUCCESS)” instead of “((x = call(args)) == SUCCESS)”.
  • CVE-2008-0599
    • Chain: Language interpreter calculates wrong buffer size (CWE-131) by using “size = ptr ? X : Y” instead of “size = (ptr ? X : Y)” expression.
  • CVE-2001-1155
    • Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
CWE

CWE-782 – Exposed IOCTL with Insufficient Access Control

Read Time:1 Minute, 12 Second

Description

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-749
CWE-781

 

Consequences

Integrity, Availability, Confidentiality:

Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

In Windows environments, use proper access control for the associated device or device namespace. See References.

CVE References

 

  • CVE-2009-2208
    • Operating system does not enforce permissions on an IOCTL that can be used to modify network settings.
  • CVE-2008-3831
    • Device driver does not restrict ioctl calls to its direct rendering manager.
  • CVE-2008-3525
    • ioctl does not check for a required capability before processing certain requests.
  • CVE-2008-0322
    • Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten.
  • CVE-2007-4277
    • Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL.
  • CVE-2007-1400
    • Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl.
  • CVE-2006-4926
    • Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL.
  • CVE-1999-0728
    • Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL.
CWE

CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

Read Time:1 Minute, 51 Second

Description

The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.

When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing or incorrect, attackers can supply arbitrary memory addresses, leading to code execution or a denial of service.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-1285
CWE-822

 

Consequences

Integrity, Availability, Confidentiality: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

An attacker may be able to access memory that belongs to another process or user. If the attacker can control the contents that the IOCTL writes, it may lead to code execution at high privilege levels. At the least, a crash can occur.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If METHOD_NEITHER is required for the IOCTL, then ensure that all user-space addresses are properly validated before they are first accessed. The ProbeForRead and ProbeForWrite routines are available for this task. Also properly protect and manage the user-supplied buffers, since the I/O Manager does not do this when METHOD_NEITHER is being used. See References.

Phase: Architecture and Design

Effectiveness:

Description: 

If possible, avoid using METHOD_NEITHER in the IOCTL and select methods that effectively control the buffer size, such as METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT.

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If the IOCTL is part of a driver that is only intended to be accessed by trusted users, then use proper access control for the associated device or device namespace. See References.

CVE References

 

  • CVE-2006-2373
    • Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code.
  • CVE-2009-0686
    • Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges.
  • CVE-2008-5724
    • Personal firewall allows attackers to gain SYSTEM privileges.
  • CVE-2007-5756
    • chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.
CWE

CWE-780 – Use of RSA Algorithm without OAEP

Read Time:32 Second

Description

The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-327

 

Consequences

Access Control: Bypass Protection Mechanism

Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext.

 

Potential Mitigations

CVE References

 

CWE

CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Read Time:5 Minute, 52 Second

Description

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-77
CWE-74
CWE-77
CWE-77
CWE-88

 

Consequences

Confidentiality, Integrity, Availability, Non-Repudiation: Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories, Modify Files or Directories, Read Application Data, Modify Application Data, Hide Activities

Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application’s owner.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Phase: Architecture and Design

Effectiveness:

Description: 

For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session’s state instead of sending it out to the client in a hidden form field.

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Effectiveness:

Description: 

If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Phase: Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness:

Description: 

Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Operation, Implementation

Effectiveness:

Description: 

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CVE References

 

  • CVE-1999-0067
    • Canonical example of OS command injection. CGI program does not neutralize “|” metacharacter when invoking a phonebook program.
  • CVE-2001-1246
    • Language interpreter’s mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
  • CVE-2002-0061
    • Web server allows command execution using “|” (pipe) character.
  • CVE-2003-0041
    • FTP client does not filter “|” from filenames returned by the server, allowing for OS command injection.
  • CVE-2008-2575
    • Shell metacharacters in a filename in a ZIP archive
  • CVE-2002-1898
    • Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
  • CVE-2008-4304
    • OS command injection through environment variable.
  • CVE-2007-3572
    • Chain: incomplete denylist for OS command injection
  • CVE-2012-1988
    • Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.
CWE

CWE-779 – Logging of Excessive Data

Read Time:1 Minute, 49 Second

Description

The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator’s ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment.

Modes of Introduction:

– Operation

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-400

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other)

Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system.

Non-Repudiation: Hide Activities

Logging too much information can make the log files of less use to forensics analysts and developers when trying to diagnose a problem or recover from an attack.

Non-Repudiation: Hide Activities

If system administrators are unable to effectively process log files, attempted attacks may go undetected, possibly leading to eventual system compromise.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Suppress large numbers of duplicate log messages and replace them with periodic summaries. For example, syslog may include an entry that states “last message repeated X times” when recording repeated events.

Phase: Architecture and Design

Effectiveness:

Description: 

Support a maximum size for the log file that can be controlled by the administrator. If the maximum size is reached, the admin should be notified. Also, consider reducing functionality of the software. This may result in a denial-of-service to legitimate software users, but it will prevent the software from adversely impacting the entire system.

Phase: Implementation

Effectiveness:

Description: 

Adjust configurations appropriately when software is transitioned from a debug state to production.

CVE References

 

  • CVE-2007-0421
    • server records a large amount of data to the server log when it receives malformed headers
  • CVE-2002-1154
    • chain: application does not restrict access to front-end for updates, which allows attacker to fill the error log
CWE

CWE-778 – Insufficient Logging

Read Time:1 Minute, 30 Second

Description

When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.

Modes of Introduction:

– Operation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-223
CWE-693

 

Consequences

Non-Repudiation: Hide Activities

If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.

Phase: Operation

Effectiveness:

Description: 

Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.

CVE References

 

  • CVE-2008-4315
    • server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2008-1203
    • admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2007-3730
    • default configuration for POP server does not log source IP or username for login attempts
  • CVE-2007-1225
    • proxy does not log requests without “http://” in the URL, allowing web surfers to access restricted web content without detection
  • CVE-2003-1566
    • web server does not log requests for a non-standard request type