CWE-455 – Non-exit on Failed Initialization

Read Time:47 Second

Description

The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-665
CWE-705
CWE-636

 

Consequences

Integrity, Other: Modify Application Data, Alter Execution Logic

The application could be placed in an insecure state that may allow an attacker to modify sensitive data or allow unintended logic to be executed.

 

Potential Mitigations

Phase: Implementation

Description: 

Follow the principle of failing securely when an error occurs. The system should enter a state where it is not vulnerable and will not display sensitive error messages to a potential attacker.

CVE References

  • CVE-2005-1345
    • Product does not trigger a fatal error if missing or invalid ACLs are in a configuration file.