CWE-393 – Return of Wrong Status Code

Read Time:1 Minute, 8 Second

Description

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-684
CWE-703

 

Consequences

Integrity, Other: Unexpected State, Alter Execution Logic

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.

 

Potential Mitigations

CVE References

  • CVE-2003-1132
    • DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
  • CVE-2001-1509
    • Hardware-specific implementation of system call causes incorrect results from geteuid.
  • CVE-2001-1559
    • System call returns wrong value, leading to a resultant NULL dereference.
  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).