All posts by rocco

CWE-207 – Observable Behavioral Discrepancy With Equivalent Products

Read Time:1 Minute, 14 Second

Description

The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.

For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform “fingerprinting,” which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product’s vendor, model, configuration, version, etc.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-205

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2002-0208
    • Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.
  • CVE-2004-2252
    • Behavioral infoleak by responding to SYN-FIN packets.
  • CVE-2000-1142
    • Honeypot generates an error with a “pwd” command in a particular directory, allowing attacker to know they are in a honeypot system.

CWE-208 – Observable Timing Discrepancy

Read Time:1 Minute, 46 Second

Description

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product’s internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-203
CWE-385
CWE-327

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2003-0078
    • SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the “Vaudenay timing attack.”
  • CVE-2000-1117
    • Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
  • CVE-2003-0637
    • Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.
  • CVE-2003-0190
    • Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
  • CVE-2004-1602
    • FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.
  • CVE-2005-0918
    • Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.

CWE-209 – Generation of Error Message Containing Sensitive Information

Read Time:2 Minute, 1 Second

Description

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-200
CWE-200
CWE-755

 

Consequences

Confidentiality: Read Application Data

Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Handle exceptions internally and do not display errors containing potentially sensitive information to a user.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

This makes it easier to spot places in the code where data is being used that is unencrypted.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: System Configuration

Description: 

Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.

Phase: System Configuration

Description: 

Create default error pages or messages that do not leak any information.

CVE References

  • CVE-2008-2049
    • POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
  • CVE-2007-5172
    • Program reveals password in error message if attacker can trigger certain database errors.
  • CVE-2008-4638
    • Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
  • CVE-2008-1579
    • Existence of user names can be determined by requesting a nonexistent blog and reading the error message.
  • CVE-2007-1409
    • Direct request to library file in web application triggers pathname leak in error message.
  • CVE-2008-3060
    • Malformed input to login page causes leak of full path when IMAP call fails.
  • CVE-2005-0603
    • Malformed regexp syntax leads to information exposure in error message.
  • CVE-2017-9615
    • verbose logging stores admin credentials in a world-readablelog file

CWE-210 – Self-generated Error Message Containing Sensitive Information

Read Time:27 Second

Description

The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-209

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

CVE References

  • CVE-2005-1745
    • Infoleak of sensitive information in error message (physical access required).

CWE-211 – Externally-Generated Error Message Containing Sensitive Information

Read Time:1 Minute, 49 Second

Description

The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-209

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: System Configuration

Description: 

Configure the application’s environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation

Description: 

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Phase: Implementation

Description: 

The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

CVE References

  • CVE-2004-1581
    • chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
  • CVE-2004-1579
    • Single “‘” inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
  • CVE-2005-0459
    • chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
  • CVE-2005-0443
    • invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
  • CVE-2005-0433
    • Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
  • CVE-2004-1101
    • Improper handling of filename request with trailing “/” causes multiple consequences, including information leak in Visual Basic error message.

CWE-212 – Improper Removal of Sensitive Information Before Storage or Transfer

Read Time:1 Minute, 27 Second

Description

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-669
CWE-669
CWE-201

 

Consequences

Confidentiality: Read Files or Directories, Read Application Data

Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack.

 

Potential Mitigations

Phase: Requirements

Description: 

Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.

Phase: Architecture and Design

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

This makes it easier to spot places in the code where data is being used that is unencrypted.

Phase: Implementation

Description: 

Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.

CVE References

  • CVE-2005-0406
    • Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).
  • CVE-2002-0704
    • NAT feature in firewall leaks internal IP addresses in ICMP error messages.

CWE-213 – Exposure of Sensitive Information Due to Incompatible Policies

Read Time:40 Second

Description

The product’s intended functionality exposes information to certain actors in accordance with the developer’s security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product’s administrator, users, or others whose information is being processed.

Modes of Introduction:

– Policy

 

 

Related Weaknesses

CWE-200

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

CVE References

  • CVE-2005-1205
    • Telnet protocol allows servers to obtain sensitive environment information from clients.
  • CVE-2005-0488
    • Telnet protocol allows servers to obtain sensitive environment information from clients.

CWE-214 – Invocation of Process Using Visible Sensitive Information

Read Time:56 Second

Description

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-497

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

CVE References

  • CVE-2001-1565
    • username/password on command line allows local users to view via “ps” or other process listing programs
  • CVE-2004-1948
    • Username/password on command line allows local users to view via “ps” or other process listing programs.
  • CVE-1999-1270
    • PGP passphrase provided as command line argument.
  • CVE-2004-1058
    • Kernel race condition allows reading of environment variables of a process that is still spawning.

CWE-215 – Insertion of Sensitive Information Into Debugging Code

Read Time:46 Second

Description

The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-200

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2002-0918
    • CGI script includes sensitive information in debug messages when an error is triggered.
  • CVE-2003-1078
    • FTP client with debug option enabled shows password to the screen.

CWE-216 – DEPRECATED: Containment Errors (Container Errors)

Read Time:19 Second

Description

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the “container” term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

Modes of Introduction:

 

 

Related Weaknesses

 

Consequences

 

Potential Mitigations

CVE References