CWE-197 – Numeric Truncation Error

Read Time:1 Minute, 11 Second

Description

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-195
CWE-196
CWE-192
CWE-194

 

Consequences

Integrity: Modify Memory

The true value of the data is lost and corrupted data is used.

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.

CVE References

  • CVE-2009-0231
    • Integer truncation of length value leads to heap-based buffer overflow.
  • CVE-2008-3282
    • Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.

CWE-196 – Unsigned to Signed Conversion Error

Read Time:1 Minute, 32 Second

Description

The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.

Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-124
CWE-120

 

Consequences

Availability: DoS: Crash, Exit, or Restart

Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.

Integrity: Modify Memory

If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected.

Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Requirements

Description: 

Choose a language which is not subject to these casting flaws.

Phase: Architecture and Design

Description: 

Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.

Phase: Implementation

Description: 

Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.

CVE References

CWE-195 – Signed to Unsigned Conversion Error

Read Time:33 Second

Description

The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-681
CWE-681
CWE-681
CWE-119

 

Consequences

Integrity: Unexpected State

Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.

 

Potential Mitigations

CVE References

  • CVE-2007-4268
    • Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)

CWE-194 – Unexpected Sign Extension

Read Time:1 Minute, 49 Second

Description

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-681
CWE-681
CWE-681

 

Consequences

Integrity, Confidentiality, Availability, Other: Read Memory, Modify Memory, Other

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application’s allowable range.

 

Potential Mitigations

Phase: Implementation

Description: 

Avoid using signed variables if you don’t need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

CVE References

  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-1999-0234
    • Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
  • CVE-2003-0161
    • Product uses “char” type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
  • CVE-2007-4988
    • chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
  • CVE-2006-1834
    • chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
  • CVE-2005-2753
    • Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.

CWE-193 – Off-by-one Error

Read Time:3 Minute, 5 Second

Description

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682
CWE-682
CWE-617
CWE-170
CWE-119

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Implementation

Description: 

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

CVE References

  • CVE-2003-0252
    • Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines.
  • CVE-2001-1391
    • Off-by-one vulnerability in driver allows users to modify kernel memory.
  • CVE-2002-0083
    • Off-by-one error allows local users or remote malicious servers to gain privileges.
  • CVE-2002-0653
    • Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries.
  • CVE-2002-0844
    • Off-by-one buffer overflow in version control system allows local users to execute arbitrary code.
  • CVE-1999-1568
    • Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command.
  • CVE-2004-0346
    • Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command.
  • CVE-2004-0005
    • Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2003-0356
    • Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2001-1496
    • Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code.
  • CVE-2004-0342
    • This is an interesting example that might not be an off-by-one.
  • CVE-2001-0609
    • An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string.
  • CVE-2002-1745
    • Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension.
  • CVE-2002-1721
    • Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value.
  • CVE-2003-0466
    • Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server.
  • CVE-2003-0625
    • Off-by-one error allows read of sensitive memory via a malformed request.
  • CVE-2006-4574
    • Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

CWE-192 – Integer Coercion Error

Read Time:1 Minute, 7 Second

Description

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-681

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Crash, Exit, or Restart

Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code.

Integrity, Other: Other

Integer coercion errors result in an incorrect value being stored for the variable in question.

 

Potential Mitigations

Phase: Requirements

Description: 

A language which throws exceptions on ambiguous data casts might be chosen.

Phase: Architecture and Design

Description: 

Design objects and program flow such that multiple or complex casts are unnecessary

Phase: Implementation

Description: 

Ensure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use.

CVE References

CWE-191 – Integer Underflow (Wrap or Wraparound)

Read Time:1 Minute, 6 Second

Description

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

This can happen in signed and unsigned cases.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682
CWE-682

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

CVE References

  • CVE-2004-0816
    • Integer underflow in firewall via malformed packet.
  • CVE-2005-1891
    • Malformed icon causes integer underflow in loop counter variable.

CWE-190 – Integer Overflow or Wraparound

Read Time:3 Minute, 26 Second

Description

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-682
CWE-682
CWE-20
CWE-119

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Requirements

Description: 

Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.

Phase: Requirements

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Phase: Architecture and Design

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Description: 

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

CVE References

  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-2019-1010006
    • Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787).
  • CVE-2005-1513
    • Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology.
  • CVE-2002-0391
    • Integer overflow via a large number of arguments.
  • CVE-2002-0639
    • Integer overflow in OpenSSH as listed in the demonstrative examples.
  • CVE-2005-1141
    • Image with large width and height leads to integer overflow.
  • CVE-2005-0102
    • Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
  • CVE-2004-2013
    • Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
  • CVE-2017-1000121
    • chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).
  • CVE-2013-1591
    • Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.

CWE-188 – Reliance on Data/Memory Layout

Read Time:36 Second

Description

The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-1105
CWE-435

 

Consequences

Integrity, Confidentiality: Modify Memory, Read Memory

Can result in unintended modifications or exposure of sensitive memory.

 

Potential Mitigations

Phase: Implementation, Architecture and Design

Description: 

In flat address space situations, never allow computing memory addresses as offsets from another memory address.

Phase: Architecture and Design

Description: 

Fully specify protocol layout unambiguously, providing a structured grammar (e.g., a compilable yacc grammar).

Phase: Testing

Description: 

Testing: Test that the implementation properly handles each case in the protocol grammar.

CVE References

CWE-187 – Partial String Comparison

Read Time:1 Minute, 5 Second

Description

The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1023

 

Consequences

Integrity, Access Control: Alter Execution Logic, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

  • CVE-2014-6394
    • Product does not prevent access to restricted directories due to partial string comparison with a public directory
  • CVE-2004-1012
    • Argument parser of an IMAP server treats a partial command “body[p” as if it is “body.peek”, leading to index error and out-of-bounds corruption.
  • CVE-2004-0765
    • Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.
  • CVE-2002-1374
    • One-character password by attacker checks only against first character of real password.
  • CVE-2000-0979
    • One-character password by attacker checks only against first character of real password.