CWE-412 未加限制的外部可访问锁

Unrestricted Externally Accessible Lock

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

扩展描述

This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant locks might include an exclusive lock or mutex, or modifying a shared resource that is treated as a lock. If the lock can be held for an indefinite period of time, then the denial of service could be permanent.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 667 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanAlsoBe cwe_CWE_ID: 410 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Availability DoS: Resource Consumption (Other) When an attacker can control a lock, the program may wait indefinitely until the attacker releases the lock, causing a denial of service to other users of the program. This is especially problematic if there is a blocking operation on the lock.

检测方法

White Box

Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.

可能的缓解方案

['Architecture and Design', 'Implementation']

策略:

Use any access control that is offered by the functionality that is offering the lock.

['Architecture and Design', 'Implementation']

策略:

Use unpredictable names or identifiers for the locks. This might not always be possible or feasible.

Architecture and Design

策略:

Consider modifying your code to use non-blocking synchronization methods.

示例代码

This code tries to obtain a lock for a file, then writes to it.

bad PHP

function writeToLog($message){
$logfile = fopen("logFile.log", "a");
//attempt to get logfile lock
if (flock($logfile, LOCK_EX)) {
fwrite($logfile,$message);
// unlock logfile
flock($logfile, LOCK_UN);
}
else {
print "Could not obtain lock on logFile.log, message not recorded\n";
}
}
fclose($logFile);

PHP by default will wait indefinitely until a file lock is released. If an attacker is able to obtain the file lock, this code will pause execution, possibly leading to denial of service for other users. Note that in this case, if an attacker can perform an flock() on the file, they may already have privileges to destroy the log file. However, this still impacts the execution of other programs that depend on flock().

分析过的案例

标识 说明 链接
CVE-2001-0682 Program can not execute when attacker obtains a mutex. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0682
CVE-2002-1914 Program can not execute when attacker obtains a lock on a critical output file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1914
CVE-2002-1915 Program can not execute when attacker obtains a lock on a critical output file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1915
CVE-2002-0051 Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0051
CVE-2000-0338 Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0338
CVE-2000-1198 Chain: Lock files with predictable names. Resultant from randomness. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1198
CVE-2002-1869 Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1869

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Unrestricted Critical Resource Lock
7 Pernicious Kingdoms Deadlock
OWASP Top Ten 2004 A9 CWE More Specific Denial of Service
The CERT Oracle Secure Coding Standard for Java (2011) LCK00-J Use private final lock objects to synchronize classes that may interact with untrusted code
The CERT Oracle Secure Coding Standard for Java (2011) LCK07-J Avoid deadlock by requesting and releasing locks in the same order
Software Fault Patterns SFP22 Unrestricted lock

相关攻击模式

  • CAPEC-25