CWE

CWE-916 – Use of Password Hash With Insufficient Computational Effort

Read Time:1 Minute, 18 Second

Description

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-327
CWE-327

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

When using industry-approved techniques, use them correctly. Don’t cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

CVE References

 

  • CVE-2008-1526
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2006-1058
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2008-4905
    • Blogging software uses a hard-coded salt when calculating a password hash.
  • CVE-2002-1657
    • Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2001-0967
    • Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2005-0408
    • chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
CWE

CWE-915 – Improperly Controlled Modification of Dynamically-Determined Object Attributes

Read Time:2 Minute, 21 Second

Description

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-913
CWE-502

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

CVE References

 

  • CVE-2012-2054
    • Mass assignment allows modification of arbitrary attributes using modified URL.
  • CVE-2012-2055
    • Source version control product allows modification of trusted key using mass assignment.
  • CVE-2008-7310
    • Attackers can bypass payment step in e-commerce software.
  • CVE-2013-1465
    • Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
  • CVE-2012-3527
    • Use of PHP unserialize function on untrusted input in content management system might allow code execution.
  • CVE-2012-0911
    • Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
  • CVE-2012-0911
    • Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
  • CVE-2011-4962
    • Content management system written in PHP allows code execution through page comments.
  • CVE-2009-4137
    • Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
  • CVE-2007-5741
    • Content management system written in Python interprets untrusted data as pickles, allowing code execution.
  • CVE-2011-2520
    • Python script allows local users to execute code via pickled data.
  • CVE-2005-2875
    • Python script allows remote attackers to execute arbitrary code using pickled objects.
  • CVE-2013-0277
    • Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
  • CVE-2011-2894
    • Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
  • CVE-2012-1833
    • Grails allows binding of arbitrary parameters to modify arbitrary object properties.
  • CVE-2010-3258
    • Incorrect deserialization in web browser allows escaping the sandbox.
  • CVE-2008-1013
    • Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
CWE

CWE-914 – Improper Control of Dynamically-Identified Variables

Read Time:1 Minute, 27 Second

Description

The software does not properly restrict reading from or writing to dynamically-identified variables.

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-99
CWE-913

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that internal program variables do not need to be dynamically identified.

CVE References

 

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing
  • CVE-2009-0422
    • Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
  • CVE-2007-2431
    • Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
  • CVE-2006-4904
    • Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
  • CVE-2006-4019
    • Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.
CWE

CWE-913 – Improper Control of Dynamically-Managed Code Resources

Read Time:46 Second

Description

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-664

 

Consequences

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of acceptable values.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that it does not need to be dynamically managed.

CVE References

 

CWE

CWE-912 – Hidden Functionality

Read Time:57 Second

Description

The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software’s users or administrators.

Hidden functionality can take many forms, such as intentionally malicious code, “Easter Eggs” that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software’s attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-684

 

Consequences

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Installation

Effectiveness:

Description: 

Always verify the integrity of the software that is being installed.

Phase: Testing

Effectiveness:

Description: 

Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.

CVE References

 

CWE

CWE-911 – Improper Update of Reference Count

Read Time:2 Minute, 6 Second

Description

The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664
CWE-672
CWE-772

 

Consequences

 

Potential Mitigations

CVE References

 

  • CVE-2002-0574
    • chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
  • CVE-2004-0114
    • Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory.
  • CVE-2006-3741
    • chain: improper reference count tracking leads to file descriptor consumption
  • CVE-2007-1383
    • chain: integer overflow in reference counter causes the same variable to be destroyed twice.
  • CVE-2007-1700
    • Incorrect reference count calculation leads to improper object destruction and code execution.
  • CVE-2008-2136
    • chain: incorrect update of reference count leads to memory leak.
  • CVE-2008-2785
    • chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use.
  • CVE-2008-5410
    • Improper reference counting leads to failure of cryptographic operations.
  • CVE-2009-1709
    • chain: improper reference counting in a garbage collection routine leads to use-after-free
  • CVE-2009-3553
    • chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free.
  • CVE-2009-3624
    • Reference count not always incremented, leading to crash or code execution.
  • CVE-2010-0176
    • improper reference counting leads to expired pointer dereference.
  • CVE-2010-0623
    • OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash.
  • CVE-2010-4593
    • improper reference counting leads to exhaustion of IP addresses
  • CVE-2011-0695
    • Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
  • CVE-2012-4787
    • improper reference counting leads to use-after-free
CWE

CWE-910 – Use of Expired File Descriptor

Read Time:31 Second

Description

The software uses or accesses a file descriptor after it has been closed.

After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-672

 

Consequences

Confidentiality: Read Files or Directories

The program could read data from the wrong file.

Availability: DoS: Crash, Exit, or Restart

Accessing a file descriptor that has been closed can cause a crash.

 

Potential Mitigations

CVE References

 

CWE

CWE-91 – XML Injection (aka Blind XPath Injection)

Read Time:30 Second

Description

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Within XML, special elements could include reserved words or characters such as ““, “””, and “&”, which could then be used to add new data or modify XML syntax.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-74
CWE-74

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

CVE References

 

CWE

CWE-909 – Missing Initialization of Resource

Read Time:1 Minute, 23 Second

Description

The software does not initialize a critical resource.

Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-665
CWE-665
CWE-908

 

Consequences

Confidentiality: Read Memory, Read Application Data

When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Availability: DoS: Crash, Exit, or Restart

The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.

Phase: Implementation

Effectiveness:

Description: 

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Phase: Implementation

Effectiveness:

Description: 

Avoid race conditions (CWE-362) during initialization routines.

Phase: Build and Compilation

Effectiveness:

Description: 

Run or compile your software with settings that generate warnings about uninitialized variables or data.

CVE References

 

  • CVE-2020-20739
    • A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
CWE

CWE-908 – Use of Uninitialized Resource

Read Time:2 Minute, 9 Second

Description

The software uses or accesses a resource that has not been initialized.

When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-665
CWE-665

 

Consequences

Confidentiality: Read Memory, Read Application Data

When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.

Availability: DoS: Crash, Exit, or Restart

The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Phase: Implementation

Effectiveness:

Description: 

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Phase: Implementation

Effectiveness:

Description: 

Avoid race conditions (CWE-362) during initialization routines.

Phase: Build and Compilation

Effectiveness:

Description: 

Run or compile the software with settings that generate warnings about uninitialized variables or data.

CVE References

 

  • CVE-2019-9805
    • Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
  • CVE-2008-4197
    • Use of uninitialized memory may allow code execution.
  • CVE-2008-2934
    • Free of an uninitialized pointer leads to crash and possible code execution.
  • CVE-2008-0063
    • Product does not clear memory contents when generating an error message, leading to information leak.
  • CVE-2008-0062
    • Lack of initialization triggers NULL pointer dereference or double-free.
  • CVE-2008-0081
    • Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2008-3688
    • Chain: Uninitialized variable leads to infinite loop.
  • CVE-2008-3475
    • Chain: Improper initialization leads to memory corruption.
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
  • CVE-2008-3597
    • Chain: game server can access player data structures before initialization has happened leading to NULL dereference
  • CVE-2009-2692
    • Chain: uninitialized function pointers can be dereferenced allowing code execution
  • CVE-2009-0949
    • Chain: improper initialization of memory can lead to NULL dereference
  • CVE-2009-3620
    • Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference

News, Advisories and much more

Exit mobile version