Reino: Code Quality

Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.

Intent Manipulation: Mutable Pending Intent

Java/JSP

Abstract

Se ha detectado un PendingIntent que tiene su valor de marca establecido en FLAG_MUTABLE. Los intents pendientes creados con el valor de marca FLAG_MUTABLE son susceptibles de tener campos Intent no especificados configurados en sentido descendente, que pueden modificar la capacidad del Intent y dejar el sistema expuesto a deficiencias.

Explanation

Permitir la modificación del Intent subyacente de un PendingIntent después de su creación puede dejar un sistema abierto a ataques. Esto depende principalmente de la capacidad general del Intent subyacente. En la mayoría de los casos, se recomienda evitar posibles problemas configurando la marca PendingIntent en FLAG_IMMUTABLE.

Ejemplo 1: El siguiente incluye un PendingIntent creado con un valor de marca de FLAG_MUTABLE.


...
val intent_flag_mut = Intent(Intent.ACTION_GTALK_SERVICE_DISCONNECTED, Uri.EMPTY, this, DownloadService::class.java)
val flag_mut = PendingIntent.FLAG_MUTABLE

val pi_flagmutable = PendingIntent.getService(
    this,
    0,
    intent_flag_mut,
    flag_mut
)
...

References

[1] Remediation for Implicit PendingIntent Vulnerability

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 99

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.intent_manipulation_mutable_pending_intent