M1 1.6
Race conditions
A race condition is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. It becomes a bug when the inputs do not happen in the order the programmer intended. The term race condition relates to the idea of multiple inputs racing each other to influence the output first.
• Weak cipher suites and implementations
A similar mistake to attempting to develop your own cryptographic algorithm is to attempt to write your own implementation of a known cryptographic algorithm. Errors in coding implementations are common and lead to weak implementations of secure algorithms that are vulnerable to bypass. Do not fall prey to creating a weak implementation; instead, use a proven, vetted cryptographic library.
• Default configuration
Default configuration is the configuration that a system enters upon start, upon recovering from an error, and at times when operating. This configuration acts as a system baseline, a position from which all other states can be measured. It is very important for the default configuration to be secure from the beginning, for if not, then a system will be vulnerable whenever entering this configuration, which in many conditions is common.
DLL injection
Dynamic link libraries (DLLs) are pieces of code that can add functionality to a program through the inclusion of library routines linked at run time. DLL injection is the process of adding to a program at run time a DLL that has a specific vulnerability of function that can be capitalized upon by an attacker
• Vulnerable business processes
Just as technology and users often have vulnerabilities that can be comprised, as previously discussed, vulnerable business processes are subject to compromise. When a business process that contains an inherent vulnerability is automated, then all that automation can do is increase the speed of the failure.
• Improper error handling
Software that does not properly trap an error condition and provides an attacker with underlying access to the system.
- Lack of vendor support
when the original manufacturer of the item, be it hardware or software, no longer offers support. When an item reaches end-of-life from the original manufacturer's standpoint, this signifies the finality of its life under almost all circumstances.
- Pointer dereference
A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.
- Integer overflow
A condition that occurs when a very large integer exceeds its storage capacity. An integer overflow is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. The results vary by language and numeric type. In some cases, the value saturates the variable, assuming the maximum value for the defined type and no more
• Improperly configured accounts
Accounts form the basis for access control, for they define the user, and this leads to the list of allowed actions via an access control list (ACL). Improperly configured accounts can lead to improper allowances via ACLs. Individual accounts quickly become too numerous to efficiently manage on an individual basis, and as a response to this problem, administrators create group accounts to reduce the number of controlling entries to a manageable number
- Buffer overflow
Buffer overflow attacks are input validation attacks, designed to take advantage of input routines that do not validate the length of inputs. Surprisingly simple to resolve, all that is required is the validation of all input lengths prior to writing to memory. Many programs will provide some error checking to ensure that this will not cause a problem. Some programs, however, cannot handle this error, and the extra characters continue to fill memory, overwriting other portions of the program. This can result in a number of problems, including causing the program to abort or the system to crash. Under certain circumstances, the program can execute a command supplied by the attacker. Buffer overflows typically inherit the level of privilege enjoyed by the program being exploited.
Embedded systems
Embedded systems are systems that are included within other systems. This term can apply to a stand-alone, single-purpose system designed to provide specific functionality to an overall system. It can also be used to refer to some module or component of a larger system that comes from another source
End-of-life systems( Vulnerabilities due to:)
End-of-life is defined as when the system has reached a point where it can no longer function as intended. End-of-life status can be reached for many reasons, such as lack of vendor support, a failure to instantiate on newer hardware, or incompatibility with other aspects of a system. Old software systems are frequently referred to as legacy systems, especially when they are still in use post end-of-life
• Improper input handling
Improper input handling is the true number one cause of software vulnerabilities. Improper input handling or input validation is the root cause behind most overflows, injection attacks, and canonical structure errors. Users have the ability to manipulate input, so it is up to the developer to handle the input appropriately to prevent malicious entries from having an effect.
- Memory leak
Memory leaks are programming errors caused when a computer program does not properly handle memory resources. Over time, while a program runs, if it does not clean memory resources as they are no longer needed, it can grow in size, with chunks of dead memory being scattered across the program's footprint in memory.
• Misconfiguration/weak configuration
Most systems have significant configuration options that administrators can adjust to enable or disable functionality based on usage. When a system suffers from misconfiguration or weak configuration, it may not achieve all of the desired performance or security objectives. Configuring a database server to build a complete replica of all actions as a backup system can result in a system that is bogged down and not capable of proper responses when usage is high.
• Memory/buffer vulnerability
Other languages, such as C/C++, rely upon the programmer to handle this verification task. When this task is not properly performed, there exists a chance to overwrite the allocated area in memory, potentially corrupting other values of other variables, and certainly not storing what was requested in the variable in question. This is a memory/buffer vulnerability and it can exist in software without issue until input that exceeds the allocated space is received. Then the memory/buffer vulnerability becomes an input overflow or buffer overflow error.
• Resource exhaustion
Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function. Two common resources are capacity and memory, which are interdependent in some scenarios but completely separate in others.
New threats/zero day
This is a term used to define vulnerabilities that are newly discovered and not yet addressed by a patch. If a researcher or developer discovers a vulnerability but does not share the information, then this vulnerability can be exploited without a vendor's ability to fix it, because for all practical knowledge the issue is unknown, except to the person who found it. This term indicates that it has not been found yet.
• Untrained users
Untrained users are users who do not know how to operate a system properly because they haven't received training associated with the system's capabilities. Unfortunately, untrained users are fairly common in most modern organizations. Whether they are end users who don't know how to navigate standard GUIs or highly technical people like software developers who don't understand how to properly use the interface of their IDE, the end result is the same: the system of protections and efficiencies built into a program goes unused.
System sprawl/undocumented assets
When an organization adds more servers or systems to the network without properly documenting their maintenance requirements. These systems can be forgotten and result in becoming a vulnerability.
Architecture/design weaknesses
issues that result in vulnerabilities and increased risk in a systematic manner. These flaws are not easily corrected without addressing the specific architecture or design vulnerability that created them in the first place.
Improper certificate and key management
mproper certificate management can lead to key problems and cryptographic failures. Failure to properly validate a key before use can result in an expired or compromised key being used. Improper key management can result in failure to secure data if, for example, a compromised key continues to be used. The PKI system has established processes and procedures to ensure proper key hygiene and limit the potential issues associated with public key cryptography.