Read Time:2 Minute, 47 Second

Description

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Modes of Introduction:

– Operation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-664

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.

Access Control, Other: Bypass Protection Mechanism, Other

In some cases it may be possible to force the software to “fail open” in the event of resource exhaustion. The state of the software — and possibly the security functionality – may then be compromised.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Ensure that protocols have specific limits of scale placed on them.

Phase: Implementation

Description: 

Ensure that all failures in resource allocation place the system into a safe posture.

CVE References

  • CVE-2009-2874
    • Product allows attackers to cause a crash via a large number of connections.
  • CVE-2009-1928
    • Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
  • CVE-2009-2858
    • Chain: memory leak (CWE-404) leads to resource exhaustion.
  • CVE-2009-2726
    • Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
  • CVE-2009-2540
    • Large integer value for a length property in an object causes a large amount of memory allocation.
  • CVE-2009-2299
    • Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
  • CVE-2009-2054
    • Product allows exhaustion of file descriptors when processing a large number of TCP packets.
  • CVE-2008-5180
    • Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
  • CVE-2008-2121
    • TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.
  • CVE-2008-2122
    • Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
  • CVE-2008-1700
    • Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
  • CVE-2007-4103
    • Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
  • CVE-2006-1173
    • Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.
  • CVE-2007-0897
    • Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.