All posts by rocco

CWE-154 – Improper Neutralization of Variable Name Delimiters

Read Time:1 Minute, 32 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.

As data is parsed, an injected delimiter may cause the process to take unexpected actions that result in an attack. Example: “$” for an environment variable.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that variable name delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2005-0129
    • “%” variable is expanded by wildcard function into disallowed commands.
  • CVE-2002-0770
    • Server trusts client to expand macros, allows macro characters to be expanded to trigger resultant information exposure.

CWE-155 – Improper Neutralization of Wildcards or Matching Symbols

Read Time:1 Minute, 30 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

As data is parsed, an injected element may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0433
    • Bypass file restrictions using wildcard character.
  • CVE-2002-1010
    • Bypass file restrictions using wildcard character.

CWE-156 – Improper Neutralization of Whitespace

Read Time:1 Minute, 30 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.

This can include space, tab, etc.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0637
    • MIE. virus protection bypass with RFC violations involving extra whitespace, or missing whitespace.
  • CVE-2004-0942
    • CPU consumption with MIME headers containing lines with many space characters, probably due to algorithmic complexity (RESOURCE.AMP.ALG).
  • CVE-2003-1015
    • MIE. whitespace interpreted differently by mail clients.

CWE-1327 – Binding to an Unrestricted IP Address

Read Time:25 Second

Description

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

Modes of Introduction:

– System Configuration

 

 

Related Weaknesses

CWE-668

 

Consequences

Availability: DoS: Amplification

 

Potential Mitigations

Phase: System Configuration

Effectiveness: High

Description: 

Assign IP addresses that are not 0.0.0.0.

Phase: System Configuration

Effectiveness: High

Description: 

Unwanted connections to the configured server may be denied through a firewall or other packet filtering measures.

CVE References

CWE-1328 – Security Version Number Mutable to Older Versions

Read Time:37 Second

Description

Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-285
CWE-757

 

Consequences

Confidentiality, Integrity, Authentication, Authorization: Other

Impact includes roll-back or downgrade to a vulnerable version of the firmware or DoS (prevent upgrades).

 

Potential Mitigations

Phase: Architecture and Design

Description: 

When architecting the system, security version data should be designated for storage in registers that are either read-only or have access controls that prevent modification by an untrusted agent.

Phase: Implementation

Description: 

During implementation and test, security version data should be demonstrated to be read-only and access controls should be validated.

CVE References

CWE-1329 – Reliance on Component That is Not Updateable

Read Time:1 Minute, 27 Second

Description

The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.

Modes of Introduction:

– Requirements

 

 

Related Weaknesses

CWE-1357
CWE-664

 

Consequences

Confidentiality, Integrity, Access Control, Authentication, Authorization, Other: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Quality Degradation, Reduce Maintainability

If an attacker can identify an exploitable vulnerability in one product that has no means of patching, the attack may be used against all affected versions of that product.

 

Potential Mitigations

Phase: Requirements

Description: 

Specify requirements that each component should be updateable, including ROM, firmware, etc.

Phase: Architecture and Design

Description: 

Design the product to allow for updating of its components. Include the external infrastructure that might be necessary to support updates, such as distribution servers.

Phase: Architecture and Design, Implementation

Effectiveness: Moderate

Description: 

With hardware, support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used for limited patching of devices after shipping, or for the next batch of silicon devices manufactured, without changing the full device ROM.

Some parts of the hardware initialization or signature verification done to authenticate patches will always be “not patchable.” Hardware-fuse-based patches will also have limitations in terms of size and the number of patches that can be supported.

Phase: Implementation

Description: 

Implement the necessary functionality to allow each component to be updated.

CVE References

  • CVE-2020-9054
    • Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are “end-of-support” and cannot be patched (CWE-1277). [REF-1097]

CWE-1330 – Remanent Data Readable after Memory Erase

Read Time:38 Second

Description

Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1301
CWE-1301

 

Consequences

Confidentiality: Modify Memory, Read Memory

Confidential data are readable to untrusted agent.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2019-8575
    • Firmware Data Deletion Vulnerability in which a base station factory reset might not delete all user information. The impact of this enables a new owner of a used device that has been “factory-default reset” with a vulnerable firmware version can still retrieve, at least, the previous owner’s wireless network name, and the previous owner’s wireless security (such as WPA2) key. This issue was addressed with improved, data deletion.

CWE-1331 – Improper Isolation of Shared Resources in Network On Chip (NoC)

Read Time:35 Second

Description

The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-653
CWE-668
CWE-1189

 

Consequences

Confidentiality, Availability: DoS: Resource Consumption (Other), Varies by Context, Other

Attackers may infer data that belongs to a trusted agent; the methods used to perform this attack may result in noticeably increased resource consumption.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Implement priority-based arbitration inside the NoC and have dedicated buffers or virtual channels for routing secret data from trusted agents.

CVE References

CWE-1332 – Improper Handling of Faults that Lead to Instruction Skips

Read Time:1 Minute, 13 Second

Description

The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1384
CWE-1247

 

Consequences

Confidentiality, Integrity, Authentication: Bypass Protection Mechanism, Alter Execution Logic, Unexpected State

Depending on the context, instruction skipping can
have a broad range of consequences related to the
generic bypassing of security critical code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design strategies for ensuring safe failure if
inputs such as Vcc are modified out of acceptable
ranges.

Phase: Architecture and Design

Description: 

Design strategies for ensuring safe behavior if
instructions attempt to be skipped.

Phase: Architecture and Design

Description: 

Identify mission critical secrets that should
be wiped if faulting is detected, and design a
mechanism to do the deletion.

Phase: Implementation

Description: 

Add redundancy by performing an operation
multiple times, either in space or time, and perform
majority voting. Additionally, make conditional
instruction timing unpredictable.

Phase: Implementation

Description: 

Use redundant operations or canaries to
detect faults.

Phase: Implementation

Description: 

Ensure that fault mitigations are strong enough
in practice. For example, a low power detection
mechanism that takes 50 clock cycles to trigger at lower
voltages may be an insufficient security mechanism if
the instruction counter has already progressed with no
other CPU activity occurring.

CVE References

  • CVE-2019-15894
    • fault injection attack bypasses the verification mode, potentially allowing arbitrary code execution.

CWE-1333 – Inefficient Regular Expression Complexity

Read Time:1 Minute, 29 Second

Description

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Some regular expression engines have a feature called “backtracking”. If the token cannot match, the engine “backtracks” to a position that may result in a different token that can match.
Backtracking becomes a weakness if all of these conditions are met:

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-407
CWE-185

 

Consequences

Availability: DoS: Resource Consumption (CPU)

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

This is one of the few effective solutions when using user-provided regular expressions.

Phase: System Configuration

Effectiveness: Moderate

Description: 

Set backtracking limits in the configuration of the regular expression implementation, such as PHP’s pcre.backtrack_limit. Also consider limits on execution time for the process.

Phase: Implementation

Effectiveness: High

Description: 

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Phase: Implementation

Effectiveness: Moderate

Description: 

Limit the length of the input that the regular expression will process.

CVE References

  • CVE-2020-5243
    • server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
  • CVE-2019-16215
    • Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
  • CVE-2019-6785
    • Long string in a version control product allows DoS due to an inefficient regex.
  • CVE-2019-12041
    • Javascript code allows ReDoS via a long string due to excessive backtracking.