All posts by rocco

CWE

CWE-765 – Multiple Unlocks of a Critical Resource

Read Time:1 Minute, 5 Second

Description

The software unlocks a critical resource more times than intended, leading to an unexpected state in the system.

When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-667
CWE-675

 

Consequences

Availability, Integrity: DoS: Crash, Exit, or Restart, Modify Memory, Unexpected State

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the software acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again.

CVE References

 

  • CVE-2009-0935
    • Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
CWE

CWE-766 – Critical Data Element Declared Public

Read Time:38 Second

Description

The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-1061

 

Consequences

Integrity, Confidentiality: Read Application Data, Modify Application Data

Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.

Other: Reduce Maintainability

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

CVE References

 

  • CVE-2010-3860
    • variables declared public allows remote read of system properties such as user name and home directory.
CWE

CWE-767 – Access to Critical Private Variable via Public Method

Read Time:39 Second

Description

The software defines a public method that reads or modifies a private variable.

If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-668

 

Consequences

Integrity, Other: Modify Application Data, Other

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data.

CVE References

 

CWE

CWE-690 – Unchecked Return Value to NULL Pointer Dereference

Read Time:1 Minute, 9 Second

Description

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-252
CWE-476

 

Consequences

Availability: DoS: Crash, Exit, or Restart

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Read Memory, Modify Memory

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.

 

Potential Mitigations

CVE References

 

  • CVE-2008-1052
    • Large Content-Length value leads to NULL pointer dereference when malloc fails.
  • CVE-2006-6227
    • Large message length field leads to NULL pointer dereference when malloc fails.
  • CVE-2006-2555
    • Parsing routine encounters NULL dereference when input is missing a colon separator.
  • CVE-2003-1054
    • URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
  • CVE-2008-5183
    • chain: unchecked return value can lead to NULL dereference
CWE

CWE-692 – Incomplete Denylist to Cross-Site Scripting

Read Time:36 Second

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet” [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-184
CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

  • CVE-2007-5727
    • Denylist only removes