CWE-778 – Insufficient Logging

Read Time:1 Minute, 30 Second

Description

When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.

Modes of Introduction:

– Operation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-223
CWE-693

 

Consequences

Non-Repudiation: Hide Activities

If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.

Phase: Operation

Effectiveness:

Description: 

Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.

CVE References

 

  • CVE-2008-4315
    • server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2008-1203
    • admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
  • CVE-2007-3730
    • default configuration for POP server does not log source IP or username for login attempts
  • CVE-2007-1225
    • proxy does not log requests without “http://” in the URL, allowing web surfers to access restricted web content without detection
  • CVE-2003-1566
    • web server does not log requests for a non-standard request type