CWE

CWE-212 – Improper Removal of Sensitive Information Before Storage or Transfer

Read Time:1 Minute, 27 Second

Description

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-669
CWE-669
CWE-201

 

Consequences

Confidentiality: Read Files or Directories, Read Application Data

Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences which will depend on what data is exposed. One possibility is the exposure of system data allowing an attacker to craft a specific, more effective attack.

 

Potential Mitigations

Phase: Requirements

Description: 

Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.

Phase: Architecture and Design

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

This makes it easier to spot places in the code where data is being used that is unencrypted.

Phase: Implementation

Description: 

Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.

CVE References

  • CVE-2005-0406
    • Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).
  • CVE-2002-0704
    • NAT feature in firewall leaks internal IP addresses in ICMP error messages.
CWE

CWE-211 – Externally-Generated Error Message Containing Sensitive Information

Read Time:1 Minute, 49 Second

Description

The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-209

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: System Configuration

Description: 

Configure the application’s environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation

Description: 

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Phase: Implementation

Description: 

The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

CVE References

  • CVE-2004-1581
    • chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
  • CVE-2004-1579
    • Single “‘” inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
  • CVE-2005-0459
    • chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
  • CVE-2005-0443
    • invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
  • CVE-2005-0433
    • Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
  • CVE-2004-1101
    • Improper handling of filename request with trailing “/” causes multiple consequences, including information leak in Visual Basic error message.
CWE

CWE-210 – Self-generated Error Message Containing Sensitive Information

Read Time:27 Second

Description

The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-209

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

CVE References

  • CVE-2005-1745
    • Infoleak of sensitive information in error message (physical access required).
CWE

CWE-209 – Generation of Error Message Containing Sensitive Information

Read Time:2 Minute, 1 Second

Description

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-200
CWE-200
CWE-755

 

Consequences

Confidentiality: Read Application Data

Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Handle exceptions internally and do not display errors containing potentially sensitive information to a user.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

This makes it easier to spot places in the code where data is being used that is unencrypted.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description: 

Debugging information should not make its way into a production release.

Phase: System Configuration

Description: 

Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.

Phase: System Configuration

Description: 

Create default error pages or messages that do not leak any information.

CVE References

  • CVE-2008-2049
    • POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
  • CVE-2007-5172
    • Program reveals password in error message if attacker can trigger certain database errors.
  • CVE-2008-4638
    • Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
  • CVE-2008-1579
    • Existence of user names can be determined by requesting a nonexistent blog and reading the error message.
  • CVE-2007-1409
    • Direct request to library file in web application triggers pathname leak in error message.
  • CVE-2008-3060
    • Malformed input to login page causes leak of full path when IMAP call fails.
  • CVE-2005-0603
    • Malformed regexp syntax leads to information exposure in error message.
  • CVE-2017-9615
    • verbose logging stores admin credentials in a world-readablelog file
CWE

CWE-208 – Observable Timing Discrepancy

Read Time:1 Minute, 46 Second

Description

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product’s internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-203
CWE-385
CWE-327

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2003-0078
    • SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the “Vaudenay timing attack.”
  • CVE-2000-1117
    • Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
  • CVE-2003-0637
    • Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.
  • CVE-2003-0190
    • Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
  • CVE-2004-1602
    • FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.
  • CVE-2005-0918
    • Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.
CWE

CWE-207 – Observable Behavioral Discrepancy With Equivalent Products

Read Time:1 Minute, 14 Second

Description

The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.

For many kinds of products, multiple products may be available that perform the same functionality, such as a web server, network interface, or intrusion detection system. Attackers often perform “fingerprinting,” which uses discrepancies in order to identify which specific product is in use. Once the specific product has been identified, the attacks can be made more customized and efficient. Often, an organization might intentionally allow the specific product to be identifiable. However, in some environments, the ability to identify a distinct product is unacceptable, and it is expected that every product would behave in exactly the same way. In these more restricted environments, a behavioral difference might pose an unacceptable risk if it makes it easier to identify the product’s vendor, model, configuration, version, etc.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-205

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2002-0208
    • Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.
  • CVE-2004-2252
    • Behavioral infoleak by responding to SYN-FIN packets.
  • CVE-2000-1142
    • Honeypot generates an error with a “pwd” command in a particular directory, allowing attacker to know they are in a honeypot system.
CWE

CWE-206 – Observable Internal Behavioral Discrepancy

Read Time:1 Minute, 33 Second

Description

The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.

Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be making progress can then be used to simplify or optimize the attack. For example, in a login procedure that requires a username and password, ultimately there is only one decision: success or failure. However, internally, two separate actions are performed: determining if the username exists, and checking if the password is correct. If the product behaves differently based on whether the username exists or not, then the attacker only needs to concentrate on the password.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-205

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase:

Description: 

Setup generic response pages for error conditions. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack.

CVE References

  • CVE-2002-2031
    • File existence via infoleak monitoring whether “onerror” handler fires or not.
  • CVE-2005-2025
    • Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn’t respond if not).
  • CVE-2001-1497
    • Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space.
  • CVE-2003-0190
    • Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration.
CWE

CWE-205 – Observable Behavioral Discrepancy

Read Time:42 Second

Description

The product’s behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.

Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of these internal operations to simplify or optimize their attack. In some cases, behavioral discrepancies can be used by attackers to form a side channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-203
CWE-514

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2002-0208
    • Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.
  • CVE-2004-2252
    • Behavioral infoleak by responding to SYN-FIN packets.
CWE

CWE-204 – Observable Response Discrepancy

Read Time:1 Minute, 49 Second

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-203

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

CVE References

  • CVE-2002-2094
    • This, and others, use “..” attacks and monitor error responses, so there is overlap with directory traversal.
  • CVE-2001-1483
    • Enumeration of valid usernames based on inconsistent responses
  • CVE-2001-1528
    • Account number enumeration via inconsistent responses.
  • CVE-2004-2150
    • User enumeration via discrepancies in error messages.
  • CVE-2005-1650
    • User enumeration via discrepancies in error messages.
  • CVE-2004-0294
    • Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.
  • CVE-2004-0243
    • Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.
  • CVE-2002-0514
    • Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.
  • CVE-2002-0515
    • Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
  • CVE-2001-1387
    • Product may generate different responses than specified by the administrator, possibly leading to an information leak.
  • CVE-2004-0778
    • Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
  • CVE-2004-1428
    • FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.
CWE

CWE-203 – Observable Discrepancy

Read Time:3 Minute, 36 Second

Description

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product’s operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-200
CWE-200

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

An attacker can gain access to sensitive information about the system, including authentication information that may allow an attacker to gain access to the system.

Confidentiality: Read Application Data

When cryptographic primitives are vulnerable to side-channel-attacks, this could be used to reveal unencrypted plaintext in the worst case.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

CVE References

  • CVE-2020-8695
    • Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure.
  • CVE-2002-2094
    • This, and others, use “..” attacks and monitor error responses, so there is overlap with directory traversal.
  • CVE-2001-1483
    • Enumeration of valid usernames based on inconsistent responses
  • CVE-2001-1528
    • Account number enumeration via inconsistent responses.
  • CVE-2004-2150
    • User enumeration via discrepancies in error messages.
  • CVE-2005-1650
    • User enumeration via discrepancies in error messages.
  • CVE-2004-0294
    • Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.
  • CVE-2004-0243
    • Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.
  • CVE-2002-0514
    • Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.
  • CVE-2002-0515
    • Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
  • CVE-2002-0208
    • Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.
  • CVE-2004-2252
    • Behavioral infoleak by responding to SYN-FIN packets.
  • CVE-2001-1387
    • Product may generate different responses than specified by the administrator, possibly leading to an information leak.
  • CVE-2004-0778
    • Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
  • CVE-2004-1428
    • FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.
  • CVE-2003-0078
    • SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the “Vaudenay timing attack.”
  • CVE-2000-1117
    • Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
  • CVE-2003-0637
    • Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.
  • CVE-2003-0190
    • Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
  • CVE-2004-1602
    • FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.
  • CVE-2005-0918
    • Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.

News, Advisories and much more

Exit mobile version