A software system that accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
– Implementation
Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories
A feature, API, or function does not perform according to its specification.
Modes of Introduction:
– Architecture and Design
Other: Quality Degradation, Varies by Context
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Modes of Introduction:
– Architecture and Design
Non-Repudiation, Access Control: Gain Privileges or Assume Identity, Hide Activities, Execute Unauthorized Code or Commands
Phase: Architecture and Design
Description:
Enforce the use of strong mutual authentication mechanism between the two parties.
Phase: Architecture and Design
Description:
Whenever a product is an intermediary or proxy for
transactions between two other components, the proxy core
should not drop the identity of the initiator of the
transaction. The immutability of the identity of the
initiator must be maintained and should be forwarded all the
way to the target.
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
Availability: DoS: Crash, Exit, or Restart, DoS: Instability, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.
Other: Reduce Performance
Phase: Implementation
Description:
Phase: Architecture and Design
Description:
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phase: Architecture and Design, Build and Compilation
Description:
The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.
This is not a complete solution as it is not 100% effective.
The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.
Modes of Introduction:
– Architecture and Design
Confidentiality: Read Application Data
A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.
Modes of Introduction:
– Architecture and Design
Confidentiality, Integrity: Read Application Data, Modify Application Data
The program does not release or incorrectly releases a resource before it is made available for re-use.
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
Availability, Other: DoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
Confidentiality: Read Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Phase: Requirements
Description:
Phase: Implementation
Description:
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
Phase: Implementation
Description:
Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
Phase: Implementation
Description:
When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.
This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network.
Modes of Introduction:
– Operation
Availability: DoS: Amplification, DoS: Resource Consumption (Other)
Sometimes this is a factor in “flood” attacks, but other types of amplification exist.
Phase: Architecture and Design
Description:
An application must make resources available to a client commensurate with the client’s access level.
Phase: Architecture and Design
Description:
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.
In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended to serve as an amplifying attack on target systems. Systems can often be configured to restrict the amount of traffic sent out on behalf of a client, based on the client’s origin or access level. This is usually defined in a resource allocation policy. In the absence of a mechanism to keep track of transmissions, the system or application can be easily abused to transmit asymmetrically greater traffic than the request or client should be permitted to.
Modes of Introduction:
– Operation
Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
System resources can be quickly consumed leading to poor application performance or system crash. This may affect network performance and could be used to attack other systems and applications relying on network performance.
Phase: Architecture and Design
Description:
An application must make network resources available to a client commensurate with the client’s access level.
Phase: Policy
Description:
Define a clear policy for network resource allocation and consumption.
Phase: Implementation
Description:
An application must, at all times, keep track of network resources and meter their usage appropriately.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Low
Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.