CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

Read Time:1 Minute, 48 Second

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-459
CWE-212
CWE-201

Consequences

Confidentiality: Read Application Data

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness: High

Description:

During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0’s) or random data, before the transition to the next state.

Phase: Architecture and Design, Implementation

Effectiveness: High

Description:

When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though “logical” file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.

CVE References

CVE-2003-0001
- Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.

CVE-2003-0291
- router does not clear information from DHCP packets that have been previously used

CVE-2005-1406
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-1858
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-3180
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-3276
- Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.

CVE-2002-2077
- Memory not properly cleared before reuse.

InCVE-2003-0001, CWE- 226, Sensitive Information in Resource Not Removed Before Reuse

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries

Cryptojacking Gang TeamTNT Makes a Comeback

Insecure APIs and Bot Attacks Cost Global Firms $186bn

Smashing Security podcast #385: TFL security derailed, and is Trump the king of crypto?

CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security