All posts by rocco

Vulnerabilities of the TLS Protocol

Read Time:2 Minute, 6 Second

Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.

However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.

Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.

A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.

To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.

It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.

Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.

Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.

By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.

CWE

Read Time:1 Minute, 11 Second

CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.

The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities

The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.

Please check our post about Vulnerability Analysis to learn more about CWE usage.

Please find a list of all the CWE below or use the search box above to find a specific CWE.

  • CWE-775 – Missing Release of File Descriptor or Handle after Effective Lifetime

    Description The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles,…

  • CWE-776 – Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)

    Description The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing…

  • CWE-777 – Regular Expression without Anchors

    Description The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to…

  • CWE-778 – Insufficient Logging

    Description When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.…

  • CWE-779 – Logging of Excessive Data

    Description The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a…

  • CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

    Description The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High  …

  • CWE-780 – Use of RSA Algorithm without OAEP

    Description The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.…

  • CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

    Description The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing…

  • CWE-782 – Exposed IOCTL with Insufficient Access Control

    Description The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-749 CWE-781   Consequences Integrity, Availability, Confidentiality: Attackers can invoke any functionality that the IOCTL offers. Depending on the…

  • CWE-783 – Operator Precedence Logic Error

    Description The program uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision. Modes of Introduction: – Implementation Likelihood of Exploit: Low   Related Weaknesses CWE-670…

  • CWE-784 – Reliance on Cookies without Validation and Integrity Checking in a Security Decision

    Description The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms…

  • CWE-785 – Use of Path Manipulation Function without Maximum-sized Buffer

    Description The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others. Windows provides…

  • CWE-732 – Incorrect Permission Assignment for Critical Resource

    Description The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification…

  • CWE-733 – Compiler Optimization Removal or Modification of Security-critical Code

    Description The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses CWE-1038   Consequences Access Control, Other: Bypass Protection Mechanism, Other   Potential Mitigations CVE References   CVE-2008-1685 C compiler optimization, as…

  • CWE-74 – Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)

    Description The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Software has certain assumptions about what constitutes…

  • CWE-749 – Exposed Dangerous Method or Function

    Description The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low   Related Weaknesses CWE-664 CWE-691   Consequences Integrity, Confidentiality, Availability, Access Control, Other:…

  • CWE-75 – Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

    Description The software does not adequately filter user-controlled input for special elements with control implications. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-74   Consequences Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands   Potential Mitigations Phase: Requirements Effectiveness: Description:  Programming languages and supporting technologies might…

  • CWE-754 – Improper Check for Unusual or Exceptional Conditions

    Description The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by…

  • CWE-755 – Improper Handling of Exceptional Conditions

    Description The software does not handle or incorrectly handles an exceptional condition. Modes of Introduction: – Implementation Likelihood of Exploit: Medium   Related Weaknesses CWE-703   Consequences Other: Other   Potential Mitigations CVE References   CVE-2021-3011 virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a…

  • CWE-756 – Missing Custom Error Page

    Description The software does not return custom error pages to the user, possibly exposing sensitive information. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses CWE-755 CWE-209   Consequences Confidentiality: Read Application Data Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other…

  • CWE-757 – Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)

    Description A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. When a security mechanism can be forced to downgrade to…

  • CWE-758 – Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

    Description The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. This can lead to resultant weaknesses when the required properties change, such as when the software is ported to a different platform or if an interaction…

  • CWE-759 – Use of a One-Way Hash without a Salt

    Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.…

  • CWE-76 – Improper Neutralization of Equivalent Special Elements

    Description The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to…

  • CWE-760 – Use of a One-Way Hash with a Predictable Salt

    Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. Modes of…

  • CWE-761 – Free of Pointer not at Start of Buffer

    Description The application calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-763 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…

  • CWE-762 – Mismatched Memory Management Routines

    Description The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. Modes of Introduction: – Implementation Likelihood of Exploit: Low   Related Weaknesses CWE-763 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS:…

  • CWE-763 – Release of Invalid Pointer or Reference

    Description The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-404 CWE-404 CWE-404   Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or…

  • CWE-764 – Multiple Locks of a Critical Resource

    Description The software locks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…

  • CWE-765 – Multiple Unlocks of a Critical Resource

    Description The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…

  • CWE-766 – Critical Data Element Declared Public

    Description The software declares a critical variable, field, or member to be public when intended security policy requires it to be private. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-1061   Consequences Integrity, Confidentiality: Read Application Data, Modify Application Data Making a critical variable public allows anyone with access…

  • CWE-767 – Access to Critical Private Variable via Public Method

    Description The software defines a public method that reads or modifies a private variable. If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further…

  • CWE-690 – Unchecked Return Value to NULL Pointer Dereference

    Description The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to…

  • CWE-691 – Insufficient Control Flow Management

    Description The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Alter Execution Logic   Potential Mitigations CVE References  

  • CWE-692 – Incomplete Denylist to Cross-Site Scripting

    Description The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet”…

  • CWE-693 – Protection Mechanism Failure

    Description The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakness covers three distinct situations. A “missing” protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An “insufficient” protection mechanism might provide some defenses…

  • CWE-694 – Use of Multiple Resources with Duplicate Identifier

    Description The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier. Modes of…

  • CWE-695 – Use of Low-Level Functionality

    Description The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate. The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack. Modes of Introduction: –…

  • CWE-696 – Incorrect Behavior Order

    Description The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-691   Consequences Integrity: Alter Execution Logic   Potential Mitigations CVE References   CVE-2019-9805 Chain: Creation of the packet…

  • CWE-697 – Incorrect Comparison

    Description The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses   Consequences Other: Varies by Context   Potential Mitigations CVE References   CVE-2016-10003 Proxy performs incorrect comparison of request headers, leading to infoleak

  • CWE-698 – Execution After Redirect (EAR)

    Description The web application sends a redirect to another location, but instead of exiting, it executes additional code. Modes of Introduction: – Implementation Likelihood of Exploit:   Related Weaknesses CWE-705 CWE-670   Consequences Other, Confidentiality, Integrity, Availability: Alter Execution Logic, Execute Unauthorized Code or Commands This weakness could affect the control flow of the application…

  • CWE-7 – J2EE Misconfiguration: Missing Custom Error Page

    Description The default error page of a web application should not display sensitive information about the software system. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-756   Consequences Confidentiality: Read Application Data A stack trace might show the attacker a malformed SQL query string, the type of database being…

  • CWE-703 – Improper Check or Handling of Exceptional Conditions

    Description The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Confidentiality, Availability, Integrity: Read Application Data, DoS: Crash, Exit, or Restart, Unexpected State   Potential Mitigations CVE References  

  • CWE-704 – Incorrect Type Conversion or Cast

    Description The software does not correctly convert an object, resource, or structure from one type to a different type. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-664   Consequences Other: Other   Potential Mitigations CVE References  

  • CWE-705 – Incorrect Control Flow Scoping

    Description The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-691   Consequences Other: Alter Execution Logic, Other   Potential Mitigations CVE References   CVE-2014-1266 chain: incorrect “goto”…

  • CWE-706 – Use of Incorrectly-Resolved Name or Reference

    Description The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-664 CWE-99   Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data   Potential Mitigations…

  • CWE-707 – Improper Neutralization

    Description The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Other   Potential…

  • CWE-708 – Incorrect Ownership Assignment

    Description The software assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses CWE-282 CWE-345   Consequences Confidentiality, Integrity: Read…

  • CWE-71 – DEPRECATED: Apple ‘.DS_Store’

    Description This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62. Modes of Introduction: Likelihood of Exploit:   Related Weaknesses   Consequences   Potential Mitigations CVE References  

  • CWE-710 – Improper Adherence to Coding Standards

    Description The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. Modes of Introduction: – Architecture and Design Likelihood of Exploit:   Related Weaknesses   Consequences Other: Other   Potential Mitigations Phase: Implementation Effectiveness: Description:  Document and closely follow coding standards.…

  • CWE-72 – Improper Handling of Apple HFS+ Alternate Data Stream Path

    Description The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if…

  • CWE-73 – External Control of File Name or Path

    Description The software allows user input to control or influence paths or file names that are used in filesystem operations. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High   Related Weaknesses CWE-642 CWE-610 CWE-20 CWE-22 CWE-41 CWE-98 CWE-434 CWE-59   Consequences Integrity, Confidentiality: Read Files or Directories, Modify Files or Directories The…

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code

CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE-672 – Operation on a Resource after Expiration or Release

Read Time:41 Second

Description

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-666

 

Consequences

Integrity, Confidentiality: Modify Application Data, Read Application Data

If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.

Other, Availability: Other, DoS: Crash, Exit, or Restart

When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.

 

Potential Mitigations

CVE References

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference

CWE-673 – External Influence of Sphere Definition

Read Time:22 Second

Description

The product does not prevent the definition of control spheres from external actors.

Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

CWE-674 – Uncontrolled Recursion

Read Time:1 Minute, 29 Second

Description

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality: Read Application Data

In some cases, an application’s interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP’s memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application’s installation path.

 

Potential Mitigations

Phase: Implementation

Effectiveness: Moderate

Description: 

Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Phase: Implementation

Effectiveness: Limited

Description: 

Increase the stack size.

Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault.

CVE References

  • CVE-2007-3409
    • Self-referencing pointers create infinite loop and resultant stack exhaustion.
  • CVE-2016-10707
    • Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
  • CVE-2016-3627
    • An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
  • CVE-2019-15118
    • USB-audio driver’s descriptor code parsing allows unlimited recursion leading to stack exhaustion.