CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

Read Time:1 Minute, 48 Second

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-459
CWE-212
CWE-201

Consequences

Confidentiality: Read Application Data

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness: High

Description:

During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0’s) or random data, before the transition to the next state.

Phase: Architecture and Design, Implementation

Effectiveness: High

Description:

When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though “logical” file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.

CVE References

CVE-2003-0001
- Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.

CVE-2003-0291
- router does not clear information from DHCP packets that have been previously used

CVE-2005-1406
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-1858
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-3180
- Products do not fully clear memory buffers when less data is stored into the buffer than previous.

CVE-2005-3276
- Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.

CVE-2002-2077
- Memory not properly cleared before reuse.

InCVE-2003-0001, CWE- 226, Sensitive Information in Resource Not Removed Before Reuse

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

Major Biometric Data Farming Operation Uncovered

Ransomware Attack Exposes Data of 5.6 Million Ascension Patients

Critical Vulnerabilities Found in WordPress Plugins WPLMS and VibeBP

Criminal Complaint against LockBit Ransomware Writer

Cryptomining Malware Found in Popular Open Source Packages

CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security