Tag Archives: CWE- 226

CWE-226 – Sensitive Information in Resource Not Removed Before Reuse

Read Time:1 Minute, 48 Second

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-459
CWE-212
CWE-201

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness: High

Description: 

During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0’s) or random data, before the transition to the next state.

Phase: Architecture and Design, Implementation

Effectiveness: High

Description: 

When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though “logical” file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.

CVE References

  • CVE-2003-0001
    • Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
  • CVE-2003-0291
    • router does not clear information from DHCP packets that have been previously used
  • CVE-2005-1406
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-1858
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-3180
    • Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  • CVE-2005-3276
    • Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.