CWE-397 – Declaration of Throws for Generic Exception

Read Time:33 Second

Description

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java’s exception mechanism, for example, is set up to make it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-705
CWE-221
CWE-703

 

Consequences

Non-Repudiation, Other: Hide Activities, Alter Execution Logic

 

Potential Mitigations

CVE References

CWE-396 – Declaration of Catch for Generic Exception

Read Time:38 Second

Description

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Multiple catch blocks can get ugly and repetitive, but “condensing” catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java’s typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-705
CWE-755
CWE-221

 

Consequences

Non-Repudiation, Other: Hide Activities, Alter Execution Logic

 

Potential Mitigations

CVE References

CWE-395 – Use of NullPointerException Catch to Detect NULL Pointer Dereference

Read Time:22 Second

Description

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-705
CWE-755

 

Consequences

Availability: DoS: Resource Consumption (CPU)

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.

CVE References

CWE-394 – Unexpected Status Code or Return Value

Read Time:1 Minute, 2 Second

Description

The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-754

 

Consequences

Integrity, Other: Unexpected State, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2004-1395
    • Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server’s listening loop to exit.
  • CVE-2002-2124
    • Unchecked return code from recv() leads to infinite loop.
  • CVE-2005-2553
    • Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn’t.
  • CVE-2005-1858
    • Memory not properly cleared when read() function call returns fewer bytes than expected.
  • CVE-2000-0536
    • Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
  • CVE-2001-0910
    • Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
  • CVE-2004-2371
    • Game server doesn’t check return values for functions that handle text strings and associated size values.
  • CVE-2005-1267
    • Resultant infinite loop when function call returns -1 value.

CWE-393 – Return of Wrong Status Code

Read Time:1 Minute, 8 Second

Description

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684
CWE-703

 

Consequences

Integrity, Other: Unexpected State, Alter Execution Logic

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.

 

Potential Mitigations

CVE References

  • CVE-2003-1132
    • DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
  • CVE-2001-1509
    • Hardware-specific implementation of system call causes incorrect results from geteuid.
  • CVE-2001-1559
    • System call returns wrong value, leading to a resultant NULL dereference.
  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).

CWE-392 – Missing Report of Error Condition

Read Time:48 Second

Description

The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684
CWE-703
CWE-703
CWE-703

 

Consequences

Integrity, Other: Varies by Context, Unexpected State

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

 

Potential Mitigations

CVE References

  • CVE-2004-0063
    • Function returns “OK” even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
  • CVE-2002-1446
    • Error checking routine in PKCS#11 library returns “OK” status even when invalid signature is detected, allowing spoofed messages.
  • CVE-2002-0499
    • Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
  • CVE-2005-2459
    • Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

CWE-391 – Unchecked Error Condition

Read Time:56 Second

Description

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-754
CWE-703
CWE-703

 

Consequences

Integrity, Other: Varies by Context, Unexpected State, Alter Execution Logic

 

Potential Mitigations

Phase: Requirements

Description: 

The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem.

Phase: Requirements

Description: 

A language can be used which requires, at compile time, to catch all serious exceptions. However, one must make sure to use the most current version of the API as new exceptions could be added.

Phase: Implementation

Description: 

Catch all relevant exceptions. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.

CVE References

CWE-390 – Detection of Error Condition Without Action

Read Time:1 Minute, 1 Second

Description

The software detects a specific error, but takes no actions to handle the error.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-755
CWE-401

 

Consequences

Integrity, Other: Varies by Context, Unexpected State, Alter Execution Logic

An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior.

 

Potential Mitigations

Phase: Implementation

Description: 

Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.

Phase: Implementation

Description: 

If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.

Phase: Testing

Description: 

Subject the software to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing.

CVE References

CWE-39 – Path Traversal: ‘C:dirname’

Read Time:2 Minute, 22 Second

Description

An attacker can inject a drive letter or Windows volume letter (‘C:dirname’) into a software system to potentially redirect access to an unintended location or arbitrary file.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-36

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.

Integrity: Modify Files or Directories

The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.

Confidentiality: Read Files or Directories

The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.

Availability: DoS: Crash, Exit, or Restart

The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2001-0038
    • Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.
  • CVE-2001-0255
    • FTP server allows remote attackers to list arbitrary directories by using the “ls” command and including the drive letter name (e.g. C:) in the requested pathname.
  • CVE-2001-0687
    • FTP server allows a remote attacker to retrieve privileged system information by specifying arbitrary paths.
  • CVE-2001-0933
    • FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.
  • CVE-2002-0466
    • Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.
  • CVE-2002-1483
    • Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form “C:” (Drive letter), “//absolute/path”, or “..” .
  • CVE-2004-2488
    • FTP server read/access arbitrary files using “C:” filenames

CWE-386 – Symbolic Name not Mapping to Correct Object

Read Time:58 Second

Description

A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-706
CWE-367
CWE-610
CWE-486

 

Consequences

Access Control: Gain Privileges or Assume Identity

The attacker can gain access to otherwise unauthorized resources.

Integrity, Confidentiality, Other: Modify Application Data, Modify Files or Directories, Read Application Data, Read Files or Directories, Other

Race conditions such as this kind may be employed to gain read or write access to resources not normally readable or writable by the user in question.

Integrity, Other: Modify Application Data, Other

The resource in question, or other resources (through the corrupted one) may be changed in undesirable ways by a malicious user.

Non-Repudiation: Hide Activities

If a file or other resource is written in this method, as opposed to a valid way, logging of the activity may not occur.

Non-Repudiation, Integrity: Modify Files or Directories

In some cases it may be possible to delete files that a malicious user might not otherwise have access to — such as log files.

 

Potential Mitigations

CVE References