CWE-772 – Missing Release of Resource after Effective Lifetime

Read Time:1 Minute, 45 Second

Description

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-404
CWE-404
CWE-404
CWE-404

 

Consequences

Availability: DoS: Resource Consumption (Other)

An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

 

Potential Mitigations

Phase: Requirements

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

Phase: Operation, Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2007-0897
    • Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.
  • CVE-2001-0830
    • Sockets not properly closed when attacker repeatedly connects and disconnects from server.
  • CVE-1999-1127
    • Does not shut down named pipe connections if malformed data is sent.
  • CVE-2009-2858
    • Chain: memory leak (CWE-404) leads to resource exhaustion.
  • CVE-2009-2054
    • Product allows exhaustion of file descriptors when processing a large number of TCP packets.
  • CVE-2008-2122
    • Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
  • CVE-2007-4103
    • Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
  • CVE-2002-1372
    • Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.