All posts by rocco

CWE

CWE-343 – Predictable Value Range from Previous Values

Read Time:1 Minute, 13 Second

Description

The software’s random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.

The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-340

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase:

Description: 

Increase the entropy used to seed a PRNG.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

CWE

CWE-344 – Use of Invariant Value in Dynamically Changing Context

Read Time:22 Second

Description

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-330

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

  • CVE-2002-0980
    • Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context
CWE

CWE-346 – Origin Validation Error

Read Time:57 Second

Description

The software does not properly verify that the source of data or communication is valid.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-345
CWE-284

 

Consequences

Access Control, Other: Gain Privileges or Assume Identity, Varies by Context

An attacker can access any functionality that is inadvertently accessible to the source.

 

Potential Mitigations

CVE References

  • CVE-2000-1218
    • DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
  • CVE-2005-0877
    • DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
  • CVE-2001-1452
    • DNS server caches glue records received from non-delegated name servers
  • CVE-2003-0174
    • LDAP service does not verify if a particular attribute was set by the LDAP server
  • CVE-1999-1549
    • product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
  • CVE-2003-0981
    • product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
CWE

CWE-347 – Improper Verification of Cryptographic Signature

Read Time:31 Second

Description

The software does not verify, or incorrectly verifies, the cryptographic signature for data.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-345

 

Consequences

Access Control, Integrity, Confidentiality: Gain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands

An attacker could gain access to sensitive data and possibly execute unauthorized code.

 

Potential Mitigations

CVE References

  • CVE-2002-1796
    • Does not properly verify signatures for “trusted” entities.
  • CVE-2002-1706
    • Accepts a configuration file without a Message Integrity Check (MIC) signature.
CWE

CWE-348 – Use of Less Trusted Source

Read Time:54 Second

Description

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.

 

Potential Mitigations

CVE References

  • CVE-2001-0860
    • Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
  • CVE-2004-1950
    • Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
  • CVE-2001-0908
    • Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
  • CVE-2006-1126
    • PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.
CWE

CWE-349 – Acceptance of Extraneous Untrusted Data With Trusted Data

Read Time:33 Second

Description

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345

 

Consequences

Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data

An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

 

Potential Mitigations

CVE References

  • CVE-2002-0018
    • Does not verify that trusted entity is authoritative for all entities in its response.
  • CVE-2006-5462
    • use of extra data in a signature allows certificate signature forging
CWE

CWE-35 – Path Traversal: ‘…/…//’

Read Time:48 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…/…//’ (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2005-2169
    • chain: “…/…//” bypasses protection mechanism using regexp’s that remove “../” resulting in collapse into an unsafe value “../” (CWE-182) and resultant path traversal.
  • CVE-2005-0202
    • “…/….///” bypasses regexp’s that remove “./” and “../”
CWE

CWE-350 – Reliance on Reverse DNS Resolution for a Security-Critical Action

Read Time:1 Minute, 8 Second

Description

The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-290
CWE-923
CWE-807
CWE-923

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

Malicious users can fake authentication information by providing false DNS information.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

Phase: Implementation

Description: 

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

CVE References

  • CVE-2001-1488
    • Does not do double-reverse lookup to prevent DNS spoofing.
  • CVE-2001-1500
    • Does not verify reverse-resolved hostnames in DNS.
  • CVE-2000-1221
    • Authentication bypass using spoofed reverse-resolved DNS hostnames.
  • CVE-2002-0804
    • Authentication bypass using spoofed reverse-resolved DNS hostnames.
  • CVE-2001-1155
    • Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.
  • CVE-2004-0892
    • Reverse DNS lookup used to spoof trusted content in intermediary.
  • CVE-2003-0981
    • Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
CWE

CWE-351 – Insufficient Type Distinction

Read Time:26 Second

Description

The software does not properly distinguish between different types of elements in a way that leads to insecure behavior.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-345
CWE-436

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

  • CVE-2005-2260
    • Browser user interface does not distinguish between user-initiated and synthetic events.
  • CVE-2005-2801
    • Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error.