CWE-204 - Observable Response Discrepancy

Read Time:1 Minute, 49 Second

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-203

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

Potential Mitigations

Phase: Architecture and Design

Description:

Phase: Implementation

Description:

CVE References

CVE-2002-2094
- This, and others, use “..” attacks and monitor error responses, so there is overlap with directory traversal.

CVE-2001-1483
- Enumeration of valid usernames based on inconsistent responses

CVE-2001-1528
- Account number enumeration via inconsistent responses.

CVE-2004-2150
- User enumeration via discrepancies in error messages.

CVE-2005-1650
- User enumeration via discrepancies in error messages.

CVE-2004-0294
- Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.

CVE-2004-0243
- Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.

CVE-2002-0514
- Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.

CVE-2002-0515
- Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.

CVE-2001-1387
- Product may generate different responses than specified by the administrator, possibly leading to an information leak.

CVE-2004-0778
- Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.

CVE-2004-1428
- FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.

InCVE-2002-2094, CWE- 204, Observable Response Discrepancy

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries

Cryptojacking Gang TeamTNT Makes a Comeback

Insecure APIs and Bot Attacks Cost Global Firms $186bn

Smashing Security podcast #385: TFL security derailed, and is Trump the king of crypto?

CWE-204 – Observable Response Discrepancy

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security