CWE-408 – Incorrect Behavior Order: Early Amplification

Read Time:25 Second

Description

The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-405
CWE-696

 

Consequences

Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.

 

Potential Mitigations

CVE References

  • CVE-2004-2458
    • Tool creates directories before authenticating user.

CWE-407 – Inefficient Algorithmic Complexity

Read Time:1 Minute, 33 Second

Description

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-405

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.

 

Potential Mitigations

CVE References

  • CVE-2003-0244
    • CPU consumption via inputs that cause many hash table collisions.
  • CVE-2003-0364
    • CPU consumption via inputs that cause many hash table collisions.
  • CVE-2002-1203
    • Product performs unnecessary processing before dropping an invalid packet.
  • CVE-2004-2527
    • Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.
  • CVE-2006-6931
    • Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a “backtracking attack.”
  • CVE-2006-3380
    • Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
  • CVE-2006-3379
    • Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
  • CVE-2005-2506
    • OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.
  • CVE-2005-1792
    • Memory leak by performing actions faster than the software can clear them.

CWE-406 – Insufficient Control of Network Message Volume (Network Amplification)

Read Time:1 Minute, 39 Second

Description

The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.

In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client’s origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-405

 

Consequences

Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

An application must make network resources available to a client commensurate with the client’s access level.

Phase: Policy

Description: 

Define a clear policy for network resource allocation and consumption.

Phase: Implementation

Description: 

An application must, at all times, keep track of network resources and meter their usage appropriately.

CVE References

  • CVE-1999-0513
    • Classic “Smurf” attack, using spoofed ICMP packets to broadcast addresses.
  • CVE-1999-1379
    • DNS query with spoofed source address causes more traffic to be returned to spoofed address than was sent by the attacker.
  • CVE-2000-0041
    • Large datagrams are sent in response to malformed datagrams.
  • CVE-2013-5211
    • composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.

CWE-405 – Asymmetric Resource Consumption (Amplification)

Read Time:41 Second

Description

Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-664

 

Consequences

Availability: DoS: Amplification, DoS: Resource Consumption (Other)

Sometimes this is a factor in “flood” attacks, but other types of amplification exist.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

An application must make resources available to a client commensurate with the client’s access level.

Phase: Architecture and Design

Description: 

An application must, at all times, keep track of allocated resources and meter their usage appropriately.

CVE References

CWE-404 – Improper Resource Shutdown or Release

Read Time:1 Minute, 33 Second

Description

The program does not release or incorrectly releases a resource before it is made available for re-use.

When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664
CWE-405
CWE-619

 

Consequences

Availability, Other: DoS: Resource Consumption (Other), Varies by Context

Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.

Confidentiality: Read Application Data

When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.

 

Potential Mitigations

Phase: Requirements

Description: 

Phase: Implementation

Description: 

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Phase: Implementation

Description: 

Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].

Phase: Implementation

Description: 

When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.

CVE References

  • CVE-1999-1127
    • Does not shut down named pipe connections if malformed data is sent.
  • CVE-2001-0830
    • Sockets not properly closed when attacker repeatedly connects and disconnects from server.
  • CVE-2002-1372
    • Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.

CWE-403 – Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’)

Read Time:1 Minute, 11 Second

Description

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-402

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

CVE References

  • CVE-2003-0740
    • Server leaks a privileged file descriptor, allowing the server to be hijacked.
  • CVE-2004-1033
    • File descriptor leak allows read of restricted files.
  • CVE-2000-0094
    • Access to restricted resource using modified file descriptor for stderr.
  • CVE-2002-0638
    • Open file descriptor used as alternate channel in complex race condition.
  • CVE-2003-0489
    • Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability.
  • CVE-2003-0937
    • User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor.
  • CVE-2004-2215
    • Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users.
  • CVE-2006-5397
    • Module opens a file for reading twice, allowing attackers to read files.

CWE-402 – Transmission of Private Resources into a New Sphere (‘Resource Leak’)

Read Time:13 Second

Description

The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

CVE References

CWE-401 – Missing Release of Memory after Effective Lifetime

Read Time:1 Minute, 35 Second

Description

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-772
CWE-404
CWE-404

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Instability, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.

Other: Reduce Performance

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Architecture and Design

Description: 

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Phase: Architecture and Design, Build and Compilation

Description: 

The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.

This is not a complete solution as it is not 100% effective.

CVE References

  • CVE-2005-3119
    • Memory leak because function does not free() an element of a data structure.
  • CVE-2004-0427
    • Memory leak when counter variable is not decremented.
  • CVE-2002-0574
    • chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
  • CVE-2005-3181
    • Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
  • CVE-2004-0222
    • Memory leak via unknown manipulations as part of protocol test suite.

CWE-400 – Uncontrolled Resource Consumption

Read Time:2 Minute, 47 Second

Description

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Modes of Introduction:

– Operation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-664

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.

Access Control, Other: Bypass Protection Mechanism, Other

In some cases it may be possible to force the software to “fail open” in the event of resource exhaustion. The state of the software — and possibly the security functionality – may then be compromised.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Ensure that protocols have specific limits of scale placed on them.

Phase: Implementation

Description: 

Ensure that all failures in resource allocation place the system into a safe posture.

CVE References

  • CVE-2009-2874
    • Product allows attackers to cause a crash via a large number of connections.
  • CVE-2009-1928
    • Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
  • CVE-2009-2858
    • Chain: memory leak (CWE-404) leads to resource exhaustion.
  • CVE-2009-2726
    • Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
  • CVE-2009-2540
    • Large integer value for a length property in an object causes a large amount of memory allocation.
  • CVE-2009-2299
    • Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
  • CVE-2009-2054
    • Product allows exhaustion of file descriptors when processing a large number of TCP packets.
  • CVE-2008-5180
    • Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
  • CVE-2008-2121
    • TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.
  • CVE-2008-2122
    • Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
  • CVE-2008-1700
    • Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
  • CVE-2007-4103
    • Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
  • CVE-2006-1173
    • Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.
  • CVE-2007-0897
    • Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.