CWE-404 - Improper Resource Shutdown or Release

Read Time:1 Minute, 33 Second

Description

The program does not release or incorrectly releases a resource before it is made available for re-use.

When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

Related Weaknesses

CWE-664
CWE-405
CWE-619

Consequences

Availability, Other: DoS: Resource Consumption (Other), Varies by Context

Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.

Confidentiality: Read Application Data

When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.

Potential Mitigations

Phase: Requirements

Description:

Phase: Implementation

Description:

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Phase: Implementation

Description:

Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].

Phase: Implementation

Description:

When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.

CVE References

CVE-1999-1127
- Does not shut down named pipe connections if malformed data is sent.

CVE-2001-0830
- Sockets not properly closed when attacker repeatedly connects and disconnects from server.

CVE-2002-1372
- Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.

InCVE-1999-1127, CWE- 404, Improper Resource Shutdown or Release

White House to Tackle AI-Generated Sexual Abuse Images

Legacy Ivanti Cloud Service Appliance Being Exploited

Half of UK Firms Lack Basic Cybersecurity Skills

Advanced Phishing Attacks Put X Accounts at Risk

Apple to Drop Spyware Lawsuit Over Security Concerns

Tackling the Unique Cybersecurity Challenges of Online Learning Platforms

Meta Goes Ahead With Controversial AI Training in UK

23andMe Agrees to $30m Data Breach Settlement

UK Hosts International Cyber Skills Conference

CWE-404 – Improper Resource Shutdown or Release

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security