Tag Archives: CVE-2020-0022

CWE-682 – Incorrect Calculation

Read Time:2 Minute, 51 Second

Description

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-170

 

Consequences

Availability: DoS: Crash, Exit, or Restart

If the incorrect calculation causes the program to move into an unexpected state, it may lead to a crash or impairment of service.

Integrity, Confidentiality, Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands

If the incorrect calculation is used in the context of resource allocation, it could lead to an out-of-bounds operation (CWE-119) leading to a crash or even arbitrary code execution. Alternatively, it may result in an integer overflow (CWE-190) and / or a resource consumption problem (CWE-400).

Access Control: Gain Privileges or Assume Identity

In the context of privilege or permissions assignment, an incorrect calculation can provide an attacker with access to sensitive resources.

Access Control: Bypass Protection Mechanism

If the incorrect calculation leads to an insufficient comparison (CWE-697), it may compromise a protection mechanism such as a validation routine and allow an attacker to bypass the security-critical code.

 

Potential Mitigations

Phase: Implementation

Description: 

Understand your programming language’s underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, “not-a-number” calculations, and how your language handles numbers that are too large or too small for its underlying representation.

Phase: Implementation

Description: 

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

Phase: Implementation

Description: 

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

Phase: Testing

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Testing

Description: 

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.

CVE References

  • CVE-2020-0022
    • chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787)
  • CVE-2004-1363
    • substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed

CWE-787 – Out-of-bounds Write

Read Time:2 Minute, 42 Second

Description

The software writes data past the end, or before the beginning, of the intended buffer.

Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-119

 

Consequences

Integrity, Availability: Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Requirements

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

This is not a complete solution, since many buffer overflows are not related to strings.

Phase: Build and Compilation

Effectiveness: Defense in Depth

Description: 

This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness: Defense in Depth

Description: 

This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].

This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Implementation

Effectiveness: Moderate

Description: 

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131).

CVE References

 

  • CVE-2020-0022
    • chain: mobile phone Bluetooth implementation does not include offset when calculating packet length (CWE-682), leading to out-of-bounds write (CWE-787)
  • CVE-2019-1010006
    • Chain: compiler optimization (CWE-733) removes or modifies code used to detect integer overflow (CWE-190), allowing out-of-bounds write (CWE-787).
  • CVE-2009-1532
    • malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption
  • CVE-2009-0269
    • chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead.
  • CVE-2002-2227
    • Unchecked length of SSLv2 challenge value leads to buffer underflow.
  • CVE-2007-4580
    • Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130)
  • CVE-2007-4268
    • Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
  • CVE-2009-2550
    • Classic stack-based buffer overflow in media player using a long entry in a playlist
  • CVE-2009-2403
    • Heap-based buffer overflow in media player using a long entry in a playlist