All posts by rocco

CWE-774 – Allocation of File Descriptors or Handles Without Limits or Throttling

Read Time:33 Second

Description

The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.

This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-770

 

Consequences

Availability: DoS: Resource Consumption (Other)

When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.

 

Potential Mitigations

Phase: Operation, Architecture and Design

Effectiveness:

Description: 

CVE References

 

CWE-775 – Missing Release of File Descriptor or Handle after Effective Lifetime

Read Time:51 Second

Description

The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-772
CWE-404
CWE-404

 

Consequences

Availability: DoS: Resource Consumption (Other)

An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

 

Potential Mitigations

Phase: Operation, Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2007-0897
    • Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

CWE-776 – Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)

Read Time:1 Minute, 0 Second

Description

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-674
CWE-674
CWE-409

 

Consequences

Availability: DoS: Resource Consumption (Other)

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

 

Potential Mitigations

Phase: Operation

Effectiveness:

Description: 

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Phase: Implementation

Effectiveness:

Description: 

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CVE References

 

  • CVE-2011-3288
    • XML bomb / XEE in enterprise communication product.
  • CVE-2011-1755
    • “Billion laughs” attack in XMPP server daemon.

CWE-777 – Regular Expression without Anchors

Read Time:1 Minute, 26 Second

Description

The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

Regular expressions are typically used to match a pattern of text. Anchors are used in regular expressions to specify where the pattern should match: at the beginning, the end, or both (the whole input).

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-625

 

Consequences

Availability, Confidentiality, Access Control: Bypass Protection Mechanism

An unanchored regular expression in the context of an allowlist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the allowlist was protecting.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.

CVE References

 

CWE-778 – Insufficient Logging

Read Time:1 Minute, 30 Second

Description

When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.

Modes of Introduction:

– Operation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-223
CWE-693

 

Consequences

Non-Repudiation: Hide Activities

If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.

Phase: Operation

Effectiveness:

Description: 

Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.

CVE References

 

  • CVE-2008-4315
    • server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2008-1203
    • admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2007-3730
    • default configuration for POP server does not log source IP or username for login attempts
  • CVE-2007-1225
    • proxy does not log requests without “http://” in the URL, allowing web surfers to access restricted web content without detection
  • CVE-2003-1566
    • web server does not log requests for a non-standard request type

CWE-779 – Logging of Excessive Data

Read Time:1 Minute, 49 Second

Description

The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator’s ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment.

Modes of Introduction:

– Operation

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-400

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other)

Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system.

Non-Repudiation: Hide Activities

Logging too much information can make the log files of less use to forensics analysts and developers when trying to diagnose a problem or recover from an attack.

Non-Repudiation: Hide Activities

If system administrators are unable to effectively process log files, attempted attacks may go undetected, possibly leading to eventual system compromise.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Suppress large numbers of duplicate log messages and replace them with periodic summaries. For example, syslog may include an entry that states “last message repeated X times” when recording repeated events.

Phase: Architecture and Design

Effectiveness:

Description: 

Support a maximum size for the log file that can be controlled by the administrator. If the maximum size is reached, the admin should be notified. Also, consider reducing functionality of the software. This may result in a denial-of-service to legitimate software users, but it will prevent the software from adversely impacting the entire system.

Phase: Implementation

Effectiveness:

Description: 

Adjust configurations appropriately when software is transitioned from a debug state to production.

CVE References

 

  • CVE-2007-0421
    • server records a large amount of data to the server log when it receives malformed headers
  • CVE-2002-1154
    • chain: application does not restrict access to front-end for updates, which allows attacker to fill the error log

CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Read Time:5 Minute, 52 Second

Description

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-77
CWE-74
CWE-77
CWE-77
CWE-88

 

Consequences

Confidentiality, Integrity, Availability, Non-Repudiation: Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories, Modify Files or Directories, Read Application Data, Modify Application Data, Hide Activities

Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application’s owner.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Phase: Architecture and Design

Effectiveness:

Description: 

For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session’s state instead of sending it out to the client in a hidden form field.

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Effectiveness:

Description: 

If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Phase: Operation

Effectiveness:

Description: 

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl’s “-T” switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Phase: Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness:

Description: 

Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Operation, Implementation

Effectiveness:

Description: 

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CVE References

 

  • CVE-1999-0067
    • Canonical example of OS command injection. CGI program does not neutralize “|” metacharacter when invoking a phonebook program.
  • CVE-2001-1246
    • Language interpreter’s mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
  • CVE-2002-0061
    • Web server allows command execution using “|” (pipe) character.
  • CVE-2003-0041
    • FTP client does not filter “|” from filenames returned by the server, allowing for OS command injection.
  • CVE-2008-2575
    • Shell metacharacters in a filename in a ZIP archive
  • CVE-2002-1898
    • Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
  • CVE-2008-4304
    • OS command injection through environment variable.
  • CVE-2007-3572
    • Chain: incomplete denylist for OS command injection
  • CVE-2012-1988
    • Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.

CWE-780 – Use of RSA Algorithm without OAEP

Read Time:32 Second

Description

The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-327

 

Consequences

Access Control: Bypass Protection Mechanism

Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext.

 

Potential Mitigations

CVE References

 

CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

Read Time:1 Minute, 51 Second

Description

The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.

When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing or incorrect, attackers can supply arbitrary memory addresses, leading to code execution or a denial of service.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-1285
CWE-822

 

Consequences

Integrity, Availability, Confidentiality: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

An attacker may be able to access memory that belongs to another process or user. If the attacker can control the contents that the IOCTL writes, it may lead to code execution at high privilege levels. At the least, a crash can occur.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If METHOD_NEITHER is required for the IOCTL, then ensure that all user-space addresses are properly validated before they are first accessed. The ProbeForRead and ProbeForWrite routines are available for this task. Also properly protect and manage the user-supplied buffers, since the I/O Manager does not do this when METHOD_NEITHER is being used. See References.

Phase: Architecture and Design

Effectiveness:

Description: 

If possible, avoid using METHOD_NEITHER in the IOCTL and select methods that effectively control the buffer size, such as METHOD_BUFFERED, METHOD_IN_DIRECT, or METHOD_OUT_DIRECT.

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If the IOCTL is part of a driver that is only intended to be accessed by trusted users, then use proper access control for the associated device or device namespace. See References.

CVE References

 

  • CVE-2006-2373
    • Driver for file-sharing and messaging protocol allows attackers to execute arbitrary code.
  • CVE-2009-0686
    • Anti-virus product does not validate addresses, allowing attackers to gain SYSTEM privileges.
  • CVE-2008-5724
    • Personal firewall allows attackers to gain SYSTEM privileges.
  • CVE-2007-5756
    • chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.

CWE-782 – Exposed IOCTL with Insufficient Access Control

Read Time:1 Minute, 12 Second

Description

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-749
CWE-781

 

Consequences

Integrity, Availability, Confidentiality:

Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

In Windows environments, use proper access control for the associated device or device namespace. See References.

CVE References

 

  • CVE-2009-2208
    • Operating system does not enforce permissions on an IOCTL that can be used to modify network settings.
  • CVE-2008-3831
    • Device driver does not restrict ioctl calls to its direct rendering manager.
  • CVE-2008-3525
    • ioctl does not check for a required capability before processing certain requests.
  • CVE-2008-0322
    • Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten.
  • CVE-2007-4277
    • Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL.
  • CVE-2007-1400
    • Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl.
  • CVE-2006-4926
    • Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL.
  • CVE-1999-0728
    • Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL.