Reino: Code Quality

Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.

Unreleased Resource: Sockets

ABAP
Java/JSP

Abstract

Es posible que el programa no pueda liberar un socket.

Explanation

Es posible que el programa no pueda liberar un socket.

Las pérdidas de recursos presentan dos causas habituales:

- Condiciones de error y otras circunstancias excepcionales.

- Confusión en cuanto a la parte del programa responsable de liberar el recurso.

La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede desencadenar de forma intencionada una pérdida de recursos, este podría lanzar un ataque de denegación de servicio agotando el conjunto de recursos.

Ejemplo 1: El siguiente método nunca cierra el identificador socket que abre. En un entorno ocupado, esto puede provocar que el sistema de tiempo de ejecución de ABAP consuma todos sus sockets.


...
    lo_client = cl_apc_tcp_client_manager=>create( i_host = host
                                                   i_port = port
                                                   i_frame = lv_frame
                                                   i_protocol = protocol
                                                   i_ssl_id = ssl_id
                                                   i_event_handler = lo_event_handler ).

    " initiate the connection setup, successful connect leads to execution of ON_OPEN
    lo_client->connect( ).

...

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 772

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect

[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.abap.unreleased_resource_sockets

Abstract

Es posible que el programa no pueda liberar un socket.

Explanation

Es posible que el programa no pueda liberar un socket.

Las pérdidas de recursos presentan dos causas habituales:

- Condiciones de error y otras circunstancias excepcionales.

- Confusión en cuanto a la parte del programa responsable de liberar el recurso.

La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.

Ejemplo 1: el siguiente método nunca cierra el socket que abre. En un entorno muy activo, esto puede provocar que la JVM utilice todos los sockets.


private void echoSocket(String host, int port) throws UnknownHostException, SocketException, IOException
{
  Socket sock = new Socket(host, port);
  BufferedReader reader = new BufferedReader(new InputStreamReader(sock.getInputStream()));

  while ((String socketData = reader.readLine()) != null) {
    System.out.println(socketData);
  }
}

Ejemplo 2: en condiciones normales, la siguiente solución cierra correctamente el socket y todas las secuencias asociadas. Sin embargo, si se produce una excepción al leer la entrada o escribir los datos en la pantalla, no se cerrará el objeto de socket. Si esto se produce con suficiente frecuencia, el sistema podría quedarse sin sockets, por lo que no podría administrar ninguna conexión adicional.


private void echoSocket(String host, int port) throws UnknownHostException, SocketException, IOException
{
  Socket sock = new Socket(host, port);
  BufferedReader reader = new BufferedReader(new InputStreamReader(sock.getInputStream()));

  while ((String socketData = reader.readLine()) != null) {
    System.out.println(socketData);
  }
  sock.close();
}

References

[1] FIO04-J. Release resources when they are no longer needed CERT

[2] DOS-2: Release resources in all cases Oracle

[3] Standards Mapping - Common Weakness Enumeration CWE ID 772

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.unreleased_resource_sockets