Monthly Archives: May 2022

CWE

CWE-920 – Improper Restriction of Power Consumption

Read Time:25 Second

Description

The software operates in an environment in which power is a limited resource that cannot be automatically replenished, but the software does not properly restrict the amount of power that its operation consumes.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-400
CWE-400

 

Consequences

Availability: DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart

The power source could be drained, causing the application – and the entire device – to cease functioning.

 

Potential Mitigations

CVE References

 

CWE

CWE-92 – DEPRECATED: Improper Sanitization of Custom Special Characters

Read Time:20 Second

Description

This entry has been deprecated. It originally came from PLOVER, which sometimes defined “other” and “miscellaneous” categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

 

Consequences

 

Potential Mitigations

CVE References

 

CWE

CWE-918 – Server-Side Request Forgery (SSRF)

Read Time:1 Minute, 6 Second

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-441
CWE-610

 

Consequences

Confidentiality: Read Application Data

Integrity: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

  • CVE-2002-1484
    • Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.
  • CVE-2010-1637
    • Web-based mail program allows internal network scanning using a modified POP3 port number.
  • CVE-2009-0037
    • URL-downloading library automatically follows redirects to file:// and scp:// URLs
CWE

CWE-917 – Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)

Read Time:26 Second

Description

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-77
CWE-74
CWE-77
CWE-77

 

Consequences

Confidentiality: Read Application Data

Integrity: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

CWE

CWE-916 – Use of Password Hash With Insufficient Computational Effort

Read Time:1 Minute, 18 Second

Description

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-327
CWE-327

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

When using industry-approved techniques, use them correctly. Don’t cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

CVE References

 

  • CVE-2008-1526
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2006-1058
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2008-4905
    • Blogging software uses a hard-coded salt when calculating a password hash.
  • CVE-2002-1657
    • Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2001-0967
    • Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2005-0408
    • chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
CWE

CWE-915 – Improperly Controlled Modification of Dynamically-Determined Object Attributes

Read Time:2 Minute, 21 Second

Description

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-913
CWE-502

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

CVE References

 

  • CVE-2012-2054
    • Mass assignment allows modification of arbitrary attributes using modified URL.
  • CVE-2012-2055
    • Source version control product allows modification of trusted key using mass assignment.
  • CVE-2008-7310
    • Attackers can bypass payment step in e-commerce software.
  • CVE-2013-1465
    • Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
  • CVE-2012-3527
    • Use of PHP unserialize function on untrusted input in content management system might allow code execution.
  • CVE-2012-0911
    • Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
  • CVE-2012-0911
    • Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
  • CVE-2011-4962
    • Content management system written in PHP allows code execution through page comments.
  • CVE-2009-4137
    • Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
  • CVE-2007-5741
    • Content management system written in Python interprets untrusted data as pickles, allowing code execution.
  • CVE-2011-2520
    • Python script allows local users to execute code via pickled data.
  • CVE-2005-2875
    • Python script allows remote attackers to execute arbitrary code using pickled objects.
  • CVE-2013-0277
    • Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
  • CVE-2011-2894
    • Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
  • CVE-2012-1833
    • Grails allows binding of arbitrary parameters to modify arbitrary object properties.
  • CVE-2010-3258
    • Incorrect deserialization in web browser allows escaping the sandbox.
  • CVE-2008-1013
    • Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
CWE

CWE-914 – Improper Control of Dynamically-Identified Variables

Read Time:1 Minute, 27 Second

Description

The software does not properly restrict reading from or writing to dynamically-identified variables.

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-99
CWE-913

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that internal program variables do not need to be dynamically identified.

CVE References

 

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing
  • CVE-2009-0422
    • Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
  • CVE-2007-2431
    • Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
  • CVE-2006-4904
    • Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
  • CVE-2006-4019
    • Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.
CWE

CWE-913 – Improper Control of Dynamically-Managed Code Resources

Read Time:46 Second

Description

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-664

 

Consequences

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of acceptable values.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that it does not need to be dynamically managed.

CVE References

 

CWE

CWE-912 – Hidden Functionality

Read Time:57 Second

Description

The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software’s users or administrators.

Hidden functionality can take many forms, such as intentionally malicious code, “Easter Eggs” that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software’s attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-684

 

Consequences

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Installation

Effectiveness:

Description: 

Always verify the integrity of the software that is being installed.

Phase: Testing

Effectiveness:

Description: 

Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.

CVE References

 

CWE

CWE-911 – Improper Update of Reference Count

Read Time:2 Minute, 6 Second

Description

The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664
CWE-672
CWE-772

 

Consequences

 

Potential Mitigations

CVE References

 

  • CVE-2002-0574
    • chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
  • CVE-2004-0114
    • Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory.
  • CVE-2006-3741
    • chain: improper reference count tracking leads to file descriptor consumption
  • CVE-2007-1383
    • chain: integer overflow in reference counter causes the same variable to be destroyed twice.
  • CVE-2007-1700
    • Incorrect reference count calculation leads to improper object destruction and code execution.
  • CVE-2008-2136
    • chain: incorrect update of reference count leads to memory leak.
  • CVE-2008-2785
    • chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use.
  • CVE-2008-5410
    • Improper reference counting leads to failure of cryptographic operations.
  • CVE-2009-1709
    • chain: improper reference counting in a garbage collection routine leads to use-after-free
  • CVE-2009-3553
    • chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free.
  • CVE-2009-3624
    • Reference count not always incremented, leading to crash or code execution.
  • CVE-2010-0176
    • improper reference counting leads to expired pointer dereference.
  • CVE-2010-0623
    • OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash.
  • CVE-2010-4593
    • improper reference counting leads to exhaustion of IP addresses
  • CVE-2011-0695
    • Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
  • CVE-2012-4787
    • improper reference counting leads to use-after-free