Description
When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.
When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.
Modes of Introduction:
– Operation
Likelihood of Exploit: Medium
Related Weaknesses
Consequences
Non-Repudiation: Hide Activities
If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.
Potential Mitigations
Phase: Architecture and Design
Effectiveness:
Description:
Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.
Phase: Operation
Effectiveness:
Description:
Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.
CVE References
- CVE-2008-4315
- server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2008-1203
- admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2007-3730
- default configuration for POP server does not log source IP or username for login attempts
- CVE-2007-1225
- proxy does not log requests without “http://” in the URL, allowing web surfers to access restricted web content without detection
- CVE-2003-1566
- web server does not log requests for a non-standard request type
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...