All posts by rocco

CWE

CWE-397 – Declaration of Throws for Generic Exception

Read Time:33 Second

Description

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java’s exception mechanism, for example, is set up to make it easy for callers to anticipate what can go wrong and write code to handle each specific exceptional circumstance. Declaring that a method throws a generic form of exception defeats this system.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-705
CWE-221
CWE-703

 

Consequences

Non-Repudiation, Other: Hide Activities, Alter Execution Logic

 

Potential Mitigations

CVE References

CWE

CWE-400 – Uncontrolled Resource Consumption

Read Time:2 Minute, 47 Second

Description

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Modes of Introduction:

– Operation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-664

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

The most common result of resource exhaustion is denial of service. The software may slow down, crash due to unhandled errors, or lock out legitimate users.

Access Control, Other: Bypass Protection Mechanism, Other

In some cases it may be possible to force the software to “fail open” in the event of resource exhaustion. The state of the software — and possibly the security functionality – may then be compromised.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Ensure that protocols have specific limits of scale placed on them.

Phase: Implementation

Description: 

Ensure that all failures in resource allocation place the system into a safe posture.

CVE References

  • CVE-2009-2874
    • Product allows attackers to cause a crash via a large number of connections.
  • CVE-2009-1928
    • Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
  • CVE-2009-2858
    • Chain: memory leak (CWE-404) leads to resource exhaustion.
  • CVE-2009-2726
    • Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
  • CVE-2009-2540
    • Large integer value for a length property in an object causes a large amount of memory allocation.
  • CVE-2009-2299
    • Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
  • CVE-2009-2054
    • Product allows exhaustion of file descriptors when processing a large number of TCP packets.
  • CVE-2008-5180
    • Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
  • CVE-2008-2121
    • TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.
  • CVE-2008-2122
    • Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
  • CVE-2008-1700
    • Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
  • CVE-2007-4103
    • Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
  • CVE-2006-1173
    • Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.
  • CVE-2007-0897
    • Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.
CWE

CWE-356 – Product UI does not Warn User of Unsafe Actions

Read Time:1 Minute, 6 Second

Description

The software’s user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application’s GUI can indicate that the file is unsafe.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-221

 

Consequences

Non-Repudiation: Hide Activities

 

Potential Mitigations

CVE References

  • CVE-1999-1055
    • Product does not warn user when document contains certain dangerous functions or macros.
  • CVE-1999-0794
    • Product does not warn user when document contains certain dangerous functions or macros.
  • CVE-2000-0277
    • Product does not warn user when document contains certain dangerous functions or macros.
  • CVE-2000-0517
    • Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant.
  • CVE-2005-0602
    • File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions.
  • CVE-2000-0342
    • E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment.
CWE

CWE-357 – Insufficient UI Warning of Dangerous Operations

Read Time:18 Second

Description

The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Non-Repudiation: Hide Activities

 

Potential Mitigations

CVE References

  • CVE-2007-1099
    • User not sufficiently warned if host key mismatch occurs
CWE

CWE-358 – Improperly Implemented Security Check for Standard

Read Time:1 Minute, 1 Second

Description

The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-573
CWE-693
CWE-345
CWE-290

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2002-0862
    • Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
  • CVE-2002-0970
    • Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
  • CVE-2002-1407
    • Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
  • CVE-2005-0198
    • Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).
  • CVE-2004-2163
    • Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
  • CVE-2005-2181
    • Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
  • CVE-2005-2182
    • Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
  • CVE-2005-2298
    • Security check not applied to all components, allowing bypass.
CWE

CWE-359 – Exposure of Private Personal Information to an Unauthorized Actor

Read Time:23 Second

Description

The product does not properly prevent a person’s private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-200

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Requirements

Description: 

Phase: Architecture and Design

Description: 

CVE References

CWE

CWE-36 – Absolute Path Traversal

Read Time:2 Minute, 58 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-22
CWE-22
CWE-22

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.

Integrity: Modify Files or Directories

The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.

Confidentiality: Read Files or Directories

The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.

Availability: DoS: Crash, Exit, or Restart

The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.

 

Potential Mitigations

CVE References

  • CVE-2002-1345
    • Multiple FTP clients write arbitrary files via absolute paths in server responses
  • CVE-2000-0614
    • Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.
  • CVE-1999-1263
    • Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.
  • CVE-2003-0753
    • Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.
  • CVE-2002-1525
    • Remote attackers can read arbitrary files via an absolute pathname.
  • CVE-2001-0038
    • Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.
  • CVE-2001-0255
    • FTP server allows remote attackers to list arbitrary directories by using the “ls” command and including the drive letter name (e.g. C:) in the requested pathname.
  • CVE-2001-0933
    • FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.
  • CVE-2002-0466
    • Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.
  • CVE-2002-1483
    • Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form “C:” (Drive letter), “//absolute/path”, or “..” .
  • CVE-2004-2488
    • FTP server read/access arbitrary files using “C:” filenames
  • CVE-2001-0687
    • FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\computernamesharename).
CWE

CWE-360 – Trust of System Event Data

Read Time:54 Second

Description

Security based on event locations are insecure and can be spoofed.

Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-345

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Never trust or rely any of the information in an Event for security.

CVE References

CWE

CWE-362 – Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

Read Time:4 Minute, 3 Second

Description

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400).

Availability: DoS: Crash, Exit, or Restart, DoS: Instability

When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash.

Confidentiality, Integrity: Read Files or Directories, Read Application Data

When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).

 

Potential Mitigations

Phase: Architecture and Design

Description: 

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Phase: Architecture and Design

Description: 

Use thread-safe capabilities such as the data access abstraction in Spring.

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

When using multithreading and operating on shared variables, only use thread-safe functions.

Phase: Implementation

Description: 

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as “x++”. This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Phase: Implementation

Description: 

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Phase: Implementation

Description: 

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Phase: Implementation

Description: 

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Phase: Implementation

Description: 

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2019-18827
    • chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
  • CVE-2014-8273
    • Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237].
  • CVE-2008-5044
    • Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
  • CVE-2008-2958
    • chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  • CVE-2008-1570
    • chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  • CVE-2008-0058
    • Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
  • CVE-2008-0379
    • Race condition during initialization triggers a buffer overflow.
  • CVE-2007-6599
    • Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
  • CVE-2007-6180
    • chain: race condition triggers NULL pointer dereference
  • CVE-2007-5794
    • Race condition in library function could cause data to be sent to the wrong process.
  • CVE-2007-3970
    • Race condition in file parser leads to heap corruption.
  • CVE-2008-5021
    • chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
  • CVE-2009-4895
    • chain: race condition for an argument value, possibly resulting in NULL dereference
  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).