Monthly Archives: May 2022

CWE

CWE-836 – Use of Password Hash Instead of Password for Authentication

Read Time:37 Second

Description

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-287
CWE-602

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

An attacker could bypass the authentication routine without knowing the original password.

 

Potential Mitigations

CVE References

 

  • CVE-2009-1283
    • Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
  • CVE-2005-3435
    • Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
CWE

CWE-835 – Loop with Unreachable Exit Condition (‘Infinite Loop’)

Read Time:1 Minute, 27 Second

Description

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-834
CWE-834

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification

An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond.

 

Potential Mitigations

CVE References

 

  • CVE-2011-1027
    • Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.
  • CVE-2011-1142
    • Chain: self-referential values in recursive definitions lead to infinite loop.
  • CVE-2011-1002
    • NULL UDP packet is never cleared from a queue, leading to infinite loop.
  • CVE-2006-6499
    • Chain: web browser crashes due to infinite loop – “bad
      looping logic [that relies on] floating point math [CWE-1339] to exit
      the loop [CWE-835]”
  • CVE-2010-4476
    • Floating point conversion routine cycles back and forth between two different values.
  • CVE-2010-4645
    • Floating point conversion routine cycles back and forth between two different values.
  • CVE-2010-2534
    • Chain: improperly clearing a pointer in a linked list leads to infinite loop.
  • CVE-2013-1591
    • Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
  • CVE-2008-3688
    • Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server.
CWE

CWE-834 – Excessive Iteration

Read Time:1 Minute, 6 Second

Description

The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the software or its host system; it depends on the amount of resources consumed per iteration.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart

Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to exhaustion of resources, such as an out-of-memory error.

 

Potential Mitigations

CVE References

 

  • CVE-2011-1027
    • Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.
  • CVE-2006-6499
    • Chain: web browser crashes due to infinite loop – “bad
      looping logic [that relies on] floating point math [CWE-1339] to exit
      the loop [CWE-835]”
CWE

CWE-833 – Deadlock

Read Time:1 Minute, 22 Second

Description

The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-667
CWE-662

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart

Each thread of execution will “hang” and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop.

 

Potential Mitigations

CVE References

 

  • CVE-1999-1476
    • A bug in some Intel Pentium processors allow DoS (hang) via an invalid “CMPXCHG8B” instruction, causing a deadlock
  • CVE-2009-4272
    • deadlock triggered by packets that force collisions in a routing table
  • CVE-2002-1850
    • read/write deadlock between web server and script
  • CVE-2004-0174
    • web server deadlock involving multiple listening connections
  • CVE-2009-1388
    • multiple simultaneous calls to the same function trigger deadlock.
  • CVE-2006-5158
    • chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
  • CVE-2006-4342
    • deadlock when an operation is performed on a resource while it is being removed.
  • CVE-2006-2374
    • Deadlock in device driver triggered by using file handle of a related device.
  • CVE-2006-2275
    • Deadlock when large number of small messages cannot be processed quickly enough.
  • CVE-2005-3847
    • OS kernel has deadlock triggered by a signal during a core dump.
  • CVE-2005-2456
    • Chain: array index error (CWE-129) leads to deadlock (CWE-833)
CWE

CWE-832 – Unlock of a Resource that is not Locked

Read Time:1 Minute, 1 Second

Description

The software attempts to unlock a resource that is not locked.

Depending on the locking functionality, an unlock of a non-locked resource might cause memory corruption or other modification to the resource (or its associated metadata that is used for tracking locks).

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-667

 

Consequences

Integrity, Confidentiality, Availability, Other: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Modify Memory, Other

Depending on the locking being used, an unlock operation might not have any adverse effects. When effects exist, the most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit; depending on the implementation of the unlocking, memory corruption or code execution could occur.

 

Potential Mitigations

CVE References

 

  • CVE-2010-4210
    • function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
  • CVE-2008-4302
    • Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
  • CVE-2009-1243
    • OS kernel performs an unlock in some incorrect circumstances, leading to panic.
CWE

CWE-831 – Signal Handler Function Associated with Multiple Signals

Read Time:36 Second

Description

The software defines a function that is used as a handler for more than one signal.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-364

 

Consequences

Availability, Integrity, Confidentiality, Access Control, Other: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Application Data, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Varies by Context

The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.

 

Potential Mitigations

CVE References

 

CWE

CWE-830 – Inclusion of Web Functionality from an Untrusted Source

Read Time:20 Second

Description

The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-829

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

CWE

CWE-83 – Improper Neutralization of Script in Attributes in a Web Page

Read Time:2 Minute, 2 Second

Description

The software does not neutralize or incorrectly neutralizes “javascript:” or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2001-0520
    • Bypass filtering of SCRIPT tags using onload in BODY, href in A, BUTTON, INPUT, and others.
  • CVE-2002-1495
    • XSS in web-based email product via onmouseover event.
  • CVE-2004-1935
    • Onload, onmouseover, and other events in an e-mail attachment.
  • CVE-2005-0945
    • Onmouseover and onload events in img, link, and mail tags.
  • CVE-2003-1136
    • Javascript in onmouseover attribute in e-mail address or URL.
CWE

CWE-829 – Inclusion of Functionality from Untrusted Control Sphere

Read Time:3 Minute, 39 Second

Description

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-669
CWE-669

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

CVE References

 

  • CVE-2010-2076
    • Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.
  • CVE-2004-0285
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0030
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0068
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2157
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2162
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2198
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0128
    • Modification of assumed-immutable variable in configuration script leads to file inclusion.
  • CVE-2004-0127
    • Directory traversal vulnerability in PHP include statement.
  • CVE-2005-1971
    • Directory traversal vulnerability in PHP include statement.
  • CVE-2005-3335
    • PHP file inclusion issue, both remote and local; local include uses “..” and “%00” characters as a manipulation, but many remote file inclusion issues probably have this vector.
CWE

CWE-828 – Signal Handler with Functionality that is not Asynchronous-Safe

Read Time:1 Minute, 31 Second

Description

The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-364

 

Consequences

Integrity, Confidentiality, Availability: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands

The most common consequence will be a corruption of the state of the software, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.

 

Potential Mitigations

Phase: Implementation, Architecture and Design

Effectiveness: High

Description: 

Phase: Implementation

Effectiveness:

Description: 

Where non-reentrant functionality must be leveraged within a signal handler, be sure to block or mask signals appropriately. This includes blocking other signals within the signal handler itself that may also leverage the functionality. It also includes blocking all signals reliant upon the functionality when it is being accessed or modified by the normal behaviors of the software.

CVE References

 

  • CVE-2008-4109
    • Signal handler uses functions that ultimately call the unsafe syslog/malloc/s*printf, leading to denial of service via multiple login attempts
  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
  • CVE-2001-1349
    • unsafe calls to library functions from signal handler
  • CVE-2004-0794
    • SIGURG can be used to remotely interrupt signal handler; other variants exist.
  • CVE-2004-2259
    • SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.
  • CVE-2002-1563
    • SIGCHLD not blocked in a daemon loop while counter is modified, causing counter to get out of sync.