All posts by rocco

CWE

CWE-1334 – Unauthorized Error Injection Can Degrade Hardware Redundancy

Read Time:43 Second

Description

An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Integrity, Availability: DoS: Crash, Exit, or Restart, DoS: Instability, Quality Degradation, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance, Reduce Reliability, Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure the design does not allow error injection in modes intended for normal run-time operation. Provide access controls on interfaces for injecting errors.

Phase: Implementation

Description: 

Disallow error injection in modes which are expected to be used for normal run-time operation. Provide access controls on interfaces for injecting errors.

Phase: Integration

Description: 

Add an access control layer atop any unprotected interfaces for injecting errors.

CVE References

CWE

CWE-1335 – Incorrect Bitwise Shift of Integer

Read Time:1 Minute, 6 Second

Description

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682

 

Consequences

Integrity: DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Description: 

Implicitly or explicitly add checks and mitigation for negative or over-shift values.

CVE References

  • CVE-2009-4307
    • An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.
  • CVE-2012-2100
    • An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero – fix of CVE-2009-4307.
  • CVE-2020-8835
    • An overshift in a kernel a allowed out of bounds reads and writes resulting in a root takeover.
  • CVE-2015-1607
    • Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.
  • CVE-2016-9842
    • Compression function improperly executes a signed left shift of a negative integer.
  • CVE-2018-18445
    • Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.
  • CVE-2013-4206
    • Putty has an incorrectly sized shift value resulting in an overshift.
  • CVE-2018-20788
    • LED driver overshifts under certain conditions resulting in a DoS.
CWE

CWE-1336 – Improper Neutralization of Special Elements Used in a Template Engine

Read Time:1 Minute, 8 Second

Description

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-94

 

Consequences

Integrity: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.

Phase: Implementation

Description: 

Use the template engine’s sandbox or restricted mode, if available.

CVE References

  • CVE-2017-16783
    • server-side template injection in content management server
  • CVE-2020-9437
    • authentication / identity management product has client-side template injection
  • CVE-2020-4027
    • bypass of Server-Side Template Injection protection mechanism with macros in Velocity templates
  • CVE-2020-26282
    • web browser proxy server allows Java EL expressions from Server-Side Template Injection
  • CVE-2020-1961
    • SSTI involving mail templates and JEXL expressions
  • CVE-2019-19999
    • product does not use a “safe” setting for a FreeMarker configuration, allowing SSTI
  • CVE-2018-20465
    • product allows read of sensitive database username/password variables using server-side template injection
CWE

CWE-1338 – Improper Protections Against Hardware Overheating

Read Time:26 Second

Description

A hardware device is missing or has inadequate protection features to prevent overheating.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Availability: DoS: Resource Consumption (Other)

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level.

Phase: Implementation

Description: 

The platform should support cooling solutions such as fans that can be modulated based on device-operation needs to maintain a stable temperature.

CVE References

CWE

CWE-1339 – Insufficient Precision or Accuracy of a Real Number

Read Time:2 Minute, 6 Second

Description

The program processes a real number with an implementation in which the number’s representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.

There are three major ways to store real numbers in computers. Each method is described along with the limitations of how they store their numbers.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682
CWE-190
CWE-834
CWE-119

 

Consequences

Availability: DoS: Crash, Exit, or Restart

This weakness will generally lead to undefined results and therefore crashes. In some implementations the program will halt if the weakness causes an overflow during a calculation.

Integrity: Execute Unauthorized Code or Commands

The results of the math are not as expected. This could cause issues where a value would not be properly calculated and provide an incorrect answer.

Confidentiality, Availability, Access Control: Read Application Data, Modify Application Data

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase: Implementation, Patching and Maintenance

Description: 

The developer or maintainer can move to a more accurate representation of real numbers. In extreme cases, the programmer can move to representations such as ratios of BigInts which can represent real numbers to extremely fine precision. The programmer can also use the concept of an Unum real. The memory and CPU tradeoffs of this change must be examined. Since floating point reals are used in many programs and many locations, they are implemented in hardware and most format changes will cause the calculations to be moved into software resulting in slower programs.

CVE References

  • CVE-2018-16069
    • Chain: series of floating-point precision errors
      (CWE-1339) in a web browser rendering engine causes out-of-bounds read
      (CWE-125), giving access to cross-origin data
  • CVE-2017-7619
    • Chain: rounding error in floating-point calculations
      (CWE-1339) in image processor leads to infinite loop (CWE-835)
  • CVE-2021-29529
    • Chain: machine-learning product can have a heap-based
      buffer overflow (CWE-122) when some integer-oriented bounds are
      calculated by using ceiling() and floor() on floating point values
      (CWE-1339)
  • CVE-2008-2108
    • Chain: insufficient precision (CWE-1339) in
      random-number generator causes some zero bits to be reliably
      generated, reducing the amount of entropy (CWE-331)
  • CVE-2006-6499
    • Chain: web browser crashes due to infinite loop – “bad
      looping logic [that relies on] floating point math [CWE-1339] to exit
      the loop [CWE-835]”
CWE

CWE-134 – Use of Externally-Controlled Format String

Read Time:1 Minute, 16 Second

Description

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-668
CWE-668
CWE-123
CWE-20

 

Consequences

Confidentiality: Read Memory

Format string problems allow for information disclosure which can severely simplify exploitation of the program.

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

Format string problems can result in the execution of arbitrary code.

 

Potential Mitigations

Phase: Requirements

Description: 

Choose a language that is not subject to this flaw.

Phase: Implementation

Description: 

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Phase: Build and Compilation

Description: 

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CVE References

  • CVE-2006-2480
    • Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
  • CVE-2007-2027
    • Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages
CWE

CWE-1341 – Multiple Releases of Same Resource or Handle

Read Time:1 Minute, 20 Second

Description

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-675
CWE-672

 

Consequences

Availability, Integrity: DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Description: 

Change the code’s logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.

Phase: Implementation

Description: 

It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

When closing a resource, set the resource’s associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.

CVE References

  • CVE-2019-13351
    • file descriptor double close can cause the wrong file to be associated with a file descriptor.
  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
  • CVE-2004-0772
    • Double free resultant from certain error conditions.
CWE

CWE-1342 – Information Exposure through Microarchitectural State after Transient Execution

Read Time:52 Second

Description

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-226
CWE-226

 

Consequences

Confidentiality, Integrity: Modify Memory, Read Memory, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design, Requirements

Effectiveness: High

Description: 

Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.

Being implemented in silicon it is expected to fully address the known weaknesses with limited performance impact.

Phase: Build and Compilation

Effectiveness: High

Description: 

Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.

This effectively forces the processor to complete each memory access before moving on to the next operation. This may have a large performance impact.

CVE References

  • CVE-2020-0551
    • Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access.
CWE

CWE-135 – Incorrect Calculation of Multi-Byte String Length

Read Time:1 Minute, 8 Second

Description

The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-682

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. This can often be used to subvert any other security service.

Availability, Confidentiality: Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

Confidentiality: Read Memory

In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.

 

Potential Mitigations

Phase: Implementation

Description: 

Always verify the length of the string unit character.

Phase: Implementation

Description: 

Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.)

CVE References

CWE

CWE-1351 – Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Read Time:25 Second

Description

A hardware device, or the firmware running on it, is
missing or has incorrect protection features to maintain
goals of security primitives when the device is cooled below
standard operating temperatures.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1384

 

Consequences

Integrity, Authentication: Varies by Context, Unexpected State

Consequences of this weakness are highly contextual.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

The system should account for security primitive behavior when cooled outside standard temperatures.

CVE References