Tag Archives: CVE-2014-1266

CWE-561 – Dead Code

Read Time:51 Second

Description

The software contains dead code, which can never be executed.

Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1164

 

Consequences

Other: Quality Degradation

Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.

Other: Reduce Maintainability

 

Potential Mitigations

Phase: Implementation

Description: 

Remove dead code before deploying the application.

Phase: Testing

Description: 

Use a static analysis tool to spot dead code.

CVE References

  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).

CWE-483 – Incorrect Block Delimitation

Read Time:1 Minute, 1 Second

Description

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-670

 

Consequences

Confidentiality, Integrity, Availability: Alter Execution Logic

This is a general logic error which will often lead to obviously-incorrect behaviors that are quickly noticed and fixed. In lightly tested or untested code, this error may be introduced it into a production environment and provide additional attack vectors by creating a control flow path leading to an unexpected state in the application. The consequences will depend on the types of behaviors that are being incorrectly executed.

 

Potential Mitigations

Phase: Implementation

Description: 

Always use explicit block delimitation and use static-analysis technologies to enforce this practice.

CVE References

  • CVE-2014-1266
    • incorrect indentation of “goto” statement makes it more difficult to detect an incorrect goto (Apple’s “goto fail”)

CWE-300 – Channel Accessible by Non-Endpoint

Read Time:1 Minute, 45 Second

Description

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-923

 

Consequences

Confidentiality, Integrity, Access Control: Read Application Data, Modify Application Data, Gain Privileges or Assume Identity

An attacker could pose as one of the entities and read or possibly modify the communication.

 

Potential Mitigations

Phase: Implementation

Description: 

Always fully authenticate both ends of any communications channel.

Phase: Architecture and Design

Description: 

Adhere to the principle of complete mediation.

Phase: Implementation

Description: 

A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer’s private key. The certificate can be validated by deciphering the certificate with the issuer’s public key. See also X.509 certificate signature chains and the PGP certification structure.

CVE References

  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).

CWE-295 – Improper Certificate Validation

Read Time:2 Minute, 53 Second

Description

The software does not validate, or incorrectly validates, a certificate.

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-287
CWE-322

 

Consequences

Integrity, Authentication: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner’s public key.

Phase: Implementation

Description: 

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CVE References

  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
  • CVE-2021-22909
    • Chain: router’s firmware update procedure uses curl with “-k” (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
  • CVE-2008-4989
    • Verification function trusts certificate chains in which the last certificate is self-signed.
  • CVE-2012-5821
    • Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server’s certificate is signed by a trusted certification authority (CA)
  • CVE-2009-3046
    • Web browser does not check if any intermediate certificates are revoked.
  • CVE-2011-0199
    • Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.
  • CVE-2012-5810
    • Mobile banking application does not verify hostname, leading to financial loss.
  • CVE-2012-3446
    • Cloud-support library written in Python uses incorrect regular expression when matching hostname.