CWE-494 – Download of Code Without Integrity Check

Read Time:2 Minute, 1 Second

Description

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-345
CWE-669
CWE-669
CWE-79

 

Consequences

Integrity, Availability, Confidentiality, Other: Execute Unauthorized Code or Commands, Alter Execution Logic, Other

Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.

 

Potential Mitigations

Phase: Implementation

Description: 

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit.

Phase: Architecture and Design, Operation

Description: 

Phase: Architecture and Design

Description: 

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

CVE References

  • CVE-2019-9534
    • Satellite phone does not validate its firmware image.
  • CVE-2021-22909
    • Chain: router’s firmware update procedure uses curl with “-k” (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
  • CVE-2008-3438
    • OS does not verify authenticity of its own updates.
  • CVE-2008-3324
    • online poker client does not verify authenticity of its own updates.
  • CVE-2001-1125
    • anti-virus product does not verify automatic updates for itself.
  • CVE-2002-0671
    • VOIP phone downloads applications from web sites without verifying integrity.