Description
When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.
When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.
Modes of Introduction:
– Operation
Likelihood of Exploit: Medium
Related Weaknesses
Consequences
Non-Repudiation: Hide Activities
If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.
Potential Mitigations
Phase: Architecture and Design
Effectiveness:
Description:
Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged.
Phase: Operation
Effectiveness:
Description:
Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems.
CVE References
- CVE-2008-4315
- server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2008-1203
- admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2007-3730
- default configuration for POP server does not log source IP or username for login attempts
- CVE-2007-1225
- proxy does not log requests without “http://” in the URL, allowing web surfers to access restricted web content without detection
- CVE-2003-1566
- web server does not log requests for a non-standard request type