1464 elementos encontrados
Debilidades

Azure Terraform Misconfiguration: SQL Database Missing Customer-Managed Key

Abstract
Un servicio de Azure no usa claves administradas por el cliente.
Explanation
Las claves de cifrado mal administradas son la causa de distintos fallos de seguridad. Las organizaciones no deberían confiar en claves administradas por plataformas para recursos de datos críticos.
References
[1] Microsoft Key management in Azure
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 4.1.3
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.azure_bad_practices_missing_customer_managed_key.base

Azure Terraform Misconfiguration: SQL Server Backup Missing Encryption

Abstract
Azure SQL VM Auto Backup no está configurado para cifrar copias de seguridad.
Explanation
A menudo, no se tiene en cuenta que las copias de seguridad de datos son activos que requieren tanta protección como los datos originales.

Las copias de seguridad sin cifrar dejan los datos de la copia de seguridad accesibles ante posibles atacantes.

Por defecto, la configuración de copia de seguridad automatizada de máquinas virtuales de Azure SQL no aplica cifrado a las copias de seguridad de datos.

Ejemplo 1: El siguiente ejemplo muestra una configuración de Terraform que define una configuración de copia de seguridad automatizada de la máquina virtual de Azure SQL que no exige el cifrado de los datos de una copia de seguridad.

resource "azurerm_mssql_virtual_machine" "aztf009-tn-03" {
  virtual_machine_id               = data.azurerm_virtual_machine.example.id
  ...
  auto_backup {
    retention_period_in_days = 1
    storage_blob_endpoint = ""
    storage_account_access_key = azurerm_storage_account.example.primary_access_key
  }
}
References
[1] HashiCorp azurerm_mssql_virtual_machine
[2] Microsoft Automated Backup v2 for Azure virtual machines (Resource Manager)
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM, SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.hcl.azure_terraform_misconfiguration_sql_server_backup_missing_encryption.base

Azure Terraform Misconfiguration: Storage Account Missing Customer-Managed Key

Abstract
Un servicio de Azure no usa claves administradas por el cliente.
Explanation
Las claves de cifrado mal administradas son la causa de distintos fallos de seguridad. Las organizaciones no deberían confiar en claves administradas por plataformas para recursos de datos críticos.
References
[1] Microsoft Key management in Azure
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 7.3, Recommendation 3.12
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.azure_bad_practices_missing_customer_managed_key.base

Azure Terraform Misconfiguration: Storage Account Missing Infrastructure Encryption

Abstract
Un servicio de Azure no permite el cifrado de infraestructura.
Explanation
Los errores de implementación, las configuraciones incorrectas y las claves comprometidas son algunos de los problemas que impiden que el cifrado de una sola capa proteja por completo los datos muy sensibles. Las organizaciones deben adoptar un enfoque de defensa en profundidad para proteger los datos muy sensibles y evitar tener un punto único de fallo en su diseño de seguridad.
References
[1] Microsoft Double encryption
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.2
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM, SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.iac.azure_misconfiguration_missing_infrastructure_encryption.base

Azure Terraform Misconfiguration: Storage Encryption Scope Missing Customer-Managed Key

Abstract
Un servicio de Azure no usa claves administradas por el cliente.
Explanation
Las claves de cifrado mal administradas son la causa de distintos fallos de seguridad. Las organizaciones no deberían confiar en claves administradas por plataformas para recursos de datos críticos.
References
[1] Microsoft Key management in Azure
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.azure_bad_practices_missing_customer_managed_key.base

Azure Terraform Misconfiguration: VM Missing Host-Based Encryption

Abstract
Un servicio de Azure no permite el cifrado basado en host.
Explanation
Azure ofrece varias opciones de cifrado, cada una con ventajas y limitaciones concretas. Por ejemplo, el cifrado del lado del servidor (SSE) de Azure Storage realiza el cifrado por defecto sin utilizar recursos computacionales; sin embargo, no cifra el disco temporal ni las memorias caché. Tampoco protege los datos que fluyen desde una instancia informática al almacenamiento. Azure Disk Encryption (ADE) cifra tanto los discos temporales como las memorias cachés, así como los datos que fluyen hacia el almacenamiento, pero a expensas de los recursos computacionales.
References
[1] Microsoft Overview of managed disk encryption options
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.azure_misconfiguration_missing_host_based_encryption.base

Azure Terraform Misconfiguration: VM Storage Missing Customer-Managed Key

Abstract
Un servicio de Azure no usa claves administradas por el cliente.
Explanation
Las claves de cifrado mal administradas son la causa de distintos fallos de seguridad. Las organizaciones no deberían confiar en claves administradas por plataformas para recursos de datos críticos.
References
[1] Microsoft Key management in Azure
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.azure_bad_practices_missing_customer_managed_key.base

Azure Terraform Misconfiguration: Weak App Service Authentication

Abstract
Una configuración utiliza un mecanismo de autenticación débil.
Explanation
Los mecanismos de autenticación débiles exponen a las organizaciones a accesos no autorizados.

Los mecanismos de autenticación pueden fallar por varias razones, tales como:
- Contraseñas débiles
- Validación incorrecta
- Gestión de credenciales débil
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 9.1
[2] Standards Mapping - Common Weakness Enumeration CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[21] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Functions Authentication

Abstract
Una configuración utiliza un mecanismo de autenticación débil.
Explanation
Los mecanismos de autenticación débiles exponen a las organizaciones a accesos no autorizados.

Los mecanismos de autenticación pueden fallar por varias razones, tales como:
- Contraseñas débiles
- Validación incorrecta
- Gestión de credenciales débil
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Linux Virtual Machines Authentication

Abstract
Una configuración utiliza un mecanismo de autenticación débil.
Explanation
Los mecanismos de autenticación débiles exponen a las organizaciones a accesos no autorizados.

Los mecanismos de autenticación pueden fallar por varias razones, tales como:
- Contraseñas débiles
- Validación incorrecta
- Gestión de credenciales débil
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Service Fabric Authentication

Abstract
Una configuración utiliza un mecanismo de autenticación débil.
Explanation
Los mecanismos de autenticación débiles exponen a las organizaciones a accesos no autorizados.

Los mecanismos de autenticación pueden fallar por varias razones, tales como:
- Contraseñas débiles
- Validación incorrecta
- Gestión de credenciales débil
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Bean Manipulation

Abstract
Un atacante puede establecer propiedades bean arbitrarias que pueden poner en peligro la integridad del sistema.
Explanation
Los nombres y los valores de las propiedades bean tienen que validarse antes de rellenar cualquier bean. Las funciones de relleno bean permiten a los desarrolladores establecer una propiedad bean o una propiedad anidada. Un atacante puede aprovechar esta funcionalidad para acceder a propiedades bean especiales, como class.classLoader, que le permitirá sobrescribir propiedades del sistema y ejecutar potencialmente código arbitrario.

Ejemplo 1: El código siguiente establece una propiedad bean controlada por el usuario sin validación adecuada del nombre o valor de la propiedad:


String prop = request.getParameter('prop');
String value = request.getParameter('value');
HashMap properties = new HashMap();
properties.put(prop, value);
BeanUtils.populate(user, properties);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 15
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.bean_manipulation

Biometric Authentication: Insecure Touch ID Implementation

Abstract
La aplicación usa el marco de trabajo LocalAuthentication para autenticar al usuario, lo que puede ser insuficiente para las aplicaciones que requieren controles de seguridad más exhaustivos.
Explanation
La autenticación basada en Touch ID puede implementarse de dos formas diferentes: mediante el marco de trabajo LocalAuthentication o mediante el uso de controles de accesos basados en Touch ID en el servicio de llaves.

Si bien ambas deberían ser lo suficientemente seguras para la mayoría de las aplicaciones, el enfoque de LocalAuthentication tiene algunas características que lo hacen menos adecuado para las aplicaciones de mayor riesgo, como las de los sectores bancario, sanitario y asegurador:

- LocalAuthentication se define fuera de la zona segura del dispositivo, lo que implica que sus API pueden enlazarse y modificarse en dispositivos liberados.
- LocalAuthentication autentica al usuario mediante la evaluación de la directiva de contexto, que solo puede evaluar como true o false. Esta evaluación booleana implica que la aplicación no podrá saber a quién se está autenticando en realidad, solo si se usó, o no, la huella digital que está registrada en el dispositivo. Además, las huellas digitales que podrían registrarse en el futuro también se evaluarán correctamente como true.


Ejemplo 1: el siguiente código usa el marco de trabajo LocalAuthentication para realizar la autenticación del usuario:


    ...
    LAContext *context = [[LAContext alloc] init];  
    NSError *error = nil;  
    NSString *reason = @"Please authenticate using the Touch ID sensor.";
    
    if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) {  
        [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
            localizedReason:reason
                reply:^(BOOL success, NSError *error) {
                    if (success) {
                        // Fingerprint was authenticated
                    } else {
                        // Fingerprint could not be authenticated
                    }
            }
        ];
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.objc.biometric_authentication_insecure_touch_id_implementation
Abstract
La aplicación usa el marco de trabajo LocalAuthentication para autenticar al usuario, lo que puede ser insuficiente para las aplicaciones que requieren controles de seguridad más exhaustivos.
Explanation
La autenticación basada en Touch ID puede implementarse de dos formas diferentes: mediante el marco de trabajo LocalAuthentication o mediante el uso de controles de accesos basados en Touch ID en el servicio de llaves.

Si bien ambas deberían ser lo suficientemente seguras para la mayoría de las aplicaciones, el enfoque de LocalAuthentication tiene algunas características que lo hacen menos adecuado para las aplicaciones de mayor riesgo, como las de los sectores bancario, sanitario y asegurador:

- LocalAuthentication se define fuera de la zona segura del dispositivo, lo que implica que sus API pueden enlazarse y modificarse en dispositivos liberados.
- LocalAuthentication autentica al usuario mediante la evaluación de la directiva de contexto, que solo puede evaluar como true o false. Esta evaluación booleana implica que la aplicación no podrá saber a quién se está autenticando en realidad, solo si se usó, o no, la huella digital que está registrada en el dispositivo. Además, las huellas digitales que podrían registrarse en el futuro también se evaluarán correctamente como true.


Ejemplo 1: el siguiente código usa el marco de trabajo LocalAuthentication para realizar la autenticación del usuario:


    ...
    let context:LAContext = LAContext();  
    var error:NSError?  
    let reason:String = "Please authenticate using the Touch ID sensor."
    
    if (context.canEvaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, error: &error))  {
        context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: reason, reply: { (success, error) -> Void in
            if (success) {
                // Fingerprint was authenticated
            }
            else {
                // Fingerprint could not be authenticated
            }
        })
    }
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.swift.biometric_authentication_insecure_touch_id_implementation

Biometric Authentication: Insufficient Touch ID Protection

Abstract
La aplicación usa Touch ID para almacenar un elemento en las llaves, pero no restringe las huellas digitales válidas a aquellas que estaban disponibles cuando se almacenó el elemento de las llaves.
Explanation
La autenticación basada en Touch ID puede implementarse con los servicios de llaves mediante el almacenamiento de un elemento en las llaves y la configuración de un control de accesos que requiera que el usuario utilice su huella digital para recuperar el elemento más tarde. Las siguientes directivas pueden usarse para definir cómo se autenticará al usuario con su huella digital:

- kSecAccessControlUserPresence: restricción de acceso con Touch ID o un código de acceso. No es necesario que Touch ID esté disponible o registrado. Touch ID puede tener acceso al elemento aunque se agreguen o eliminen huellas digitales.
- kSecAccessControlTouchIDAny: restricción de acceso con Touch ID para las huellas digitales registradas. No se invalida el elemento si se agregan o eliminan huellas digitales.
- kSecAccessControlTouchIDCurrentSet: restricción de acceso con Touch ID para las huellas digitales registradas actualmente. Se invalida el elemento si se agregan o eliminan huellas digitales.

Cuando usa Touch ID, debe utilizar el atributo kSecAccessControlTouchIDCurrentSet para impedir que se agreguen o eliminen huellas digitales en el futuro.

Ejemplo 1: el siguiente código usa la restricción kSecAccessControlTouchIDAny que permite que el elemento de las llaves se desbloquee con cualquier huella digital que se registre en el futuro:


    ...
    SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                 kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                 kSecAccessControlTouchIDCurrentSet, 
                 nil);
    NSMutableDictionary *dict = [NSMutableDictionary dictionary];
    [dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
    [dict setObject:account forKey:(__bridge id)kSecAttrAccount];
    [dict setObject:service forKey:(__bridge id) kSecAttrService];
    [dict setObject:token forKey:(__bridge id)kSecValueData];
    ...
    [dict setObject:sacRef forKey:(__bridge id)kSecAttrAccessControl];
    [dict setObject:@"Please authenticate using the Touch ID sensor." forKey:(__bridge id)kSecUseOperationPrompt];

    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
        OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dict, nil);
    });
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.objc.biometric_authentication_insufficient_touch_id_protection
Abstract
La aplicación usa Touch ID para almacenar un elemento en las llaves, pero no restringe las huellas digitales válidas a aquellas que estaban disponibles cuando se almacenó el elemento de las llaves.
Explanation
La autenticación basada en Touch ID puede implementarse con los servicios de llaves mediante el almacenamiento de un elemento en las llaves y la configuración de un control de accesos que requiera que el usuario utilice su huella digital para recuperar el elemento más tarde. Las siguientes directivas pueden usarse para definir cómo se autenticará al usuario con su huella digital:

- kSecAccessControlUserPresence: restricción de acceso con Touch ID o un código de acceso. No es necesario que Touch ID esté disponible o registrado. Touch ID puede tener acceso al elemento aunque se agreguen o eliminen huellas digitales.
- kSecAccessControlTouchIDAny: restricción de acceso con Touch ID para las huellas digitales registradas. No se invalida el elemento si se agregan o eliminan huellas digitales.
- kSecAccessControlTouchIDCurrentSet: restricción de acceso con Touch ID para las huellas digitales registradas actualmente. Se invalida el elemento si se agregan o eliminan huellas digitales.

Cuando usa Touch ID, debe utilizar el atributo kSecAccessControlTouchIDCurrentSet para impedir que se agreguen o eliminen huellas digitales en el futuro.

Ejemplo 1: el siguiente código usa la restricción kSecAccessControlTouchIDAny que permite que el elemento de las llaves se desbloquee con cualquier huella digital que se registre en el futuro:


    ...
    let flags = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
        .TouchIDAny, 
        nil)

    var query = [String : AnyObject]()
    query[kSecClass as String] = kSecClassGenericPassword
    query[kSecAttrService as String] = service as AnyObject?
    query[kSecAttrAccount as String] = account as AnyObject?
    query[kSecValueData as String] = secret as AnyObject?
    ...
    query[kSecAttrAccessControl as String] = sacRef
    query[kSecUseOperationPrompt as String] = "Please authenticate using the Touch ID sensor."

    SecItemAdd(query as CFDictionary, nil)
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.swift.biometric_authentication_insufficient_touch_id_protection

Biometric Authentication: Missing Operation Message

Abstract
La aplicación solicita a los usuarios que introduzcan sus huellas digitales sin proporcionar una justificación.
Explanation
De acuerdo con las directivas de Apple, la aplicación siempre debe explicar a los usuarios por qué se requieren sus huellas digitales. En caso contrario, puede confundirse al usuario o incluso hacer que la aplicación se rechace en AppStore.

Ejemplo 1: el siguiente código usa Touch ID para autenticar al usuario, pero no proporciona un motivo localizado que explique por qué se requiere la autenticación:


    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:nil
        reply:^(BOOL success, NSError *error) {
            if (success) {
                NSLog(@"Auth was OK");
            } 
    }];
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.objc.biometric_authentication_missing_operation_message
Abstract
La aplicación solicita a los usuarios que introduzcan sus huellas digitales sin proporcionar una justificación.
Explanation
De acuerdo con las directivas de Apple, la aplicación siempre debe explicar a los usuarios por qué se requieren sus huellas digitales. En caso contrario, puede confundirse al usuario o incluso hacer que la aplicación se rechace en AppStore.

Ejemplo 1: el siguiente código usa Touch ID para autenticar al usuario, pero no proporciona un motivo localizado que explique por qué se requiere la autenticación:


    context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "", reply: { (success, error) -> Void in
        if (success) {
            print("Auth was OK");
        }
        else {
            print("Error received: %d", error!);
        }
    })
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.swift.biometric_authentication_missing_operation_message

Buffer Overflow

Abstract
Al escribir fuera de los límites de un bloque de memoria asignada, es posible que se dañen los datos, se bloquee el programa o se provoque la ejecución de código malintencionado.
Explanation
El buffer overflow es probablemente la forma más conocida de vulnerabilidad de seguridad de software. La mayoría de los desarrolladores de software saben lo que es una vulnerabilidad de buffer overflow, pero a menudo este tipo de ataques contra las aplicaciones existentes y desarrolladas recientemente son aún bastante habituales. Parte del problema se debe a la amplia variedad de formas en las que puede producirse un buffer overflow y otra parte se debe a las técnicas proclives a errores que a menudo se utilizan para evitarlas.

En un ataque de buffer overflow clásico, el usuario malintencionado envía datos a un programa, que los almacena en un búfer de pila demasiado pequeño. El resultado es que se sobrescribe la información de la pila de llamadas, incluido el puntero de devolución de la función. Los datos establecen el valor del puntero de devolución para que, cuando se devuelva la función, esta transfiera el control al código malicioso incluido en los datos del usuario malintencionado.

Aunque este tipo de buffer overflow de pila aún es frecuente en algunas plataformas y comunidades de desarrolladores, existen diversos tipos adicionales de buffer overflow, incluidos los desbordamientos del búfer de montón y los errores por uno ("off-by-one"), entre otros. Hay una serie de libros excelentes que ofrecen información detallada sobre cómo funcionan los ataques de buffer overflow, incluidos "Bilding Secure Software" [1], "Writing Secure Code" [2] y "The Shellcoder's Handbook" [3].

En el nivel de código, las vulnerabilidades de buffer overflow normalmente conllevan la infracción de las presuposiciones de un programador. Muchas funciones de manipulación de memoria de C y C++ no realizan comprobaciones de límites y pueden sobrescribir fácilmente los límites asignados de los búferes en los que funcionan. Incluso las funciones limitadas como, por ejemplo, strncpy(), pueden provocar vulnerabilidades cuando se utilizan incorrectamente. La combinación de manipulación de memoria y presuposiciones erróneas acerca del tamaño y la formación de una unidad de datos es el motivo principal de la mayoría de desbordamientos del búfer.

Las vulnerabilidades de buffer overflow suelen producirse en código que:

- Utiliza datos externos para controlar su comportamiento.

- Depende de las propiedades de los datos que se aplican fuera del ámbito inmediato del código.

- Es tan complejo que un programador no puede predecir con precisión su comportamiento.



Los siguientes ejemplos muestran estos tres escenarios.

Ejemplo 1.a: el siguiente código de ejemplo muestra un buffer overflow sencillo que a menudo lo provoca el primer escenario en el que el código utiliza los datos externos para controlar su comportamiento. El código utiliza la función gets() para leer una cantidad arbitraria de datos en un búfer de pila. Como no hay forma de limitar la cantidad de datos leídos por esta función, la seguridad del código depende siempre de que el usuario introduzca un número de caracteres inferior a BUFSIZE.


	...
	char buf[BUFSIZE];
	gets(buf);
	...
Ejemplo 1.b: en este ejemplo se muestra lo fácil que es imitar el comportamiento poco seguro de la función gets() en C++ mediante el uso del operador >> para leer la entrada en una cadena char[].


	...
	char buf[BUFSIZE];
	cin >> (buf);
	...
Ejemplo 2: el código de este ejemplo utiliza también la entrada de usuario para controlar su comportamiento, pero añade un nivel de indirección con el uso de la función de copia de memoria limitada memcpy(). Esta función acepta un búfer de destino y uno de origen, y el número de bytes que se va a copiar. El búfer de entrada se llena con una llamada limitada a read(). Sin embargo, el usuario especifica el número de bytes que memcpy() copia.


	...
char buf[64], in[MAX_SIZE];
printf("Enter buffer contents:\n");
read(0, in, MAX_SIZE-1);
printf("Bytes to copy:\n");
scanf("%d", &bytes);
memcpy(buf, in, bytes);
	...


Nota: este tipo de vulnerabilidad de buffer overflow (en el que un programa lee datos y, a continuación, confía en un valor de los datos de las operaciones de memoria posteriores en los datos restantes) ha surgido con frecuencia en bibliotecas de imágenes, audio y otros archivos.

Ejemplo 3: este es un ejemplo del segundo escenario en el que el código depende de propiedades de los datos que no se han verificado localmente. En este ejemplo una función denominada lccopy() utiliza una cadena como argumento y devuelve la copia asignada por montón de la cadena con las letras en mayúsculas convertidas a minúsculas. La función no realiza ninguna comprobación de límites en esta entrada por esquema que str sea siempre menor que BUFSIZE. Si un usuario malintencionado omite las comprobaciones del código que llama a lccopy() o si un cambio realizado en ese código invalida la presuposición acerca del tamaño de str, lccopy() desbordará buf con la llamada a strcpy() no limitada.


char *lccopy(const char *str) {
	char buf[BUFSIZE];
	char *p;

	strcpy(buf, str);
	for (p = buf; *p; p++) {
		if (isupper(*p)) {
			*p = tolower(*p);
		}
	}
	return strdup(buf);
}
Ejemplo 4: El siguiente código demuestra el tercer escenario en el que el código es tan complejo que su comportamiento no se puede predecir fácilmente. Este código proviene del popular decodificador de imágenes libPNG, que es utilizado por una amplia gama de aplicaciones.

El código parece realizar con seguridad la comprobación de límites porque comprueba el tamaño de la longitud de variable, que se utiliza posteriormente para calcular la cantidad de datos copiados por png_crc_read(). Sin embargo, justo después de que se pruebe la longitud, el código realiza una comprobación en png_ptr->mode y, si esta presenta errores, se emite una advertencia y el proceso continúa. Como length se prueba en un bloque else if, length no se probará si la primera comprobación presenta errores y se utilizará ciegamente en la llamada a png_crc_read(), provocando un posible buffer overflow de pila.

Aunque el código de este ejemplo no es el más complejo que hayamos visto, muestra por qué debe reducirse al mínimo la complejidad en el código que realiza operaciones de memoria.


if (!(png_ptr->mode & PNG_HAVE_PLTE)) {
	/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before tRNS");
}
else if (length > (png_uint_32)png_ptr->num_palette) {
png_warning(png_ptr, "Incorrect tRNS chunk length");
png_crc_finish(png_ptr, length);
return;
}
...
png_crc_read(png_ptr, readbuf, (png_size_t)length);
Ejemplo 5: en este ejemplo también se muestra el tercer escenario en el que la complejidad del programa lo expone a desbordamientos del búfer. En ese caso, la exposición se debe a la interfaz ambigua de una de las funciones en lugar de a la estructura del código (como sí lo hacía en el ejemplo anterior).

La función getUserInfo() utiliza un nombre de usuario especificado por una cadena multibyte y un puntero a una estructura para la información de usuario, y rellena la estructura con información del usuario. Como la autenticación de Windows utiliza Unicode para los nombres de usuario, el argumento username se convierte primero de una cadena multibyte a una Unicode. A continuación, esta función transfiere de forma incorrecta el tamaño de unicodeUser en bytes en lugar de caracteres. Así pues, la llamada a MultiByteToWideChar() puede escribir hasta (UNLEN+1)*sizeof(WCHAR) caracteres anchos o
(UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes en la matriz unicodeUser, que solo tiene (UNLEN+1)*sizeof(WCHAR) bytes asignados. Si la cadena username contiene más de UNLEN caracteres, la llamada a MultiByteToWideChar() desbordará el búfer unicodeUser.


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
	MultiByteToWideChar(CP_ACP, 0, username, -1,
    	      			unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] About Strsafe.h Microsoft
[5] Standards Mapping - Common Weakness Enumeration CWE ID 120, CWE ID 129, CWE ID 131, CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [3] CWE ID 020, [12] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [3] CWE ID 020, [2] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787, [4] CWE ID 020, [17] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787, [4] CWE ID 020, [19] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787, [6] CWE ID 020, [17] CWE ID 119
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 18-0-5
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3, Rule 21.2.2
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 5.4.1 Memory/String/Unmanaged Code Requirements (L1 L2 L3), 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3), 14.1.2 Build (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A1 Injection
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[40] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 120, Risky Resource Management - CWE ID 129, Risky Resource Management - CWE ID 131
[41] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 120, Risky Resource Management - CWE ID 131
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3590.1 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3590.1 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.dataflow.cpp.buffer_overflow

Buffer Overflow: Format String

Abstract
El programa usa una cadena de formato incorrectamente limitada; así, permite escribir fuera de los límites de la memoria asignada. Este comportamiento puede dañar los datos, bloquear el programa o provocar la ejecución de código malintencionado.
Explanation
El buffer overflow es probablemente la forma más conocida de vulnerabilidad de seguridad de software. La mayoría de los desarrolladores de software saben lo que es una vulnerabilidad de buffer overflow, pero a menudo este tipo de ataques contra las aplicaciones existentes y desarrolladas recientemente son aún bastante habituales. Parte del problema se debe a la amplia variedad de formas en las que puede producirse un buffer overflow y otra parte se debe a las técnicas proclives a errores que a menudo se utilizan para evitarlas.

En un ataque de buffer overflow clásico, el usuario malintencionado envía datos a un programa, que los almacena en un búfer de pila demasiado pequeño. El resultado es que se sobrescribe la información de la pila de llamadas, incluido el puntero de devolución de la función. Los datos establecen el valor del puntero de devolución para que, cuando se devuelva la función, esta transfiera el control al código malicioso incluido en los datos del usuario malintencionado.

Aunque este tipo de buffer overflow de pila aún es frecuente en algunas plataformas y comunidades de desarrolladores, existen diversos tipos adicionales de buffer overflow, incluidos los desbordamientos del búfer de montón y los errores por uno ("off-by-one"), entre otros. Hay una serie de libros excelentes que ofrecen información detallada sobre cómo funcionan los ataques de buffer overflow, incluidos "Bilding Secure Software" [1], "Writing Secure Code" [2] y "The Shellcoder's Handbook" [3].

En el nivel de código, las vulnerabilidades de buffer overflow normalmente conllevan la infracción de las presuposiciones de un programador. Muchas funciones de manipulación de la memoria de C y C++ no realizan la comprobación de límites y pueden traspasar fácilmente los límites asignados de los búferes en los que operan. Incluso las funciones limitadas como, por ejemplo, strncpy(), pueden provocar vulnerabilidades cuando se utilizan incorrectamente. La combinación de manipulación de memoria y presuposiciones erróneas acerca del tamaño y la formación de una unidad de datos es el motivo principal de la mayoría de desbordamientos del búfer.

En este caso, una cadena de formato construida incorrectamente provoca que el programa escriba más allá de los límites de la memoria asignada.

Ejemplo 1: El código siguiente desborda c porque el tipo double necesita más espacio que el asignado para c.


void formatString(double d) {
    char c;

    scanf("%d", &c)
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 134, CWE ID 787
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[23] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[24] Standards Mapping - OWASP Top 10 2013 A1 Injection
[25] Standards Mapping - OWASP Top 10 2017 A1 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[39] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 134
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_format_string

Buffer Overflow: Format String (%f/%F)

Abstract
El programa usa una cadena de formato incorrectamente limitada que incluye un especificador de punto flotante %f o %F. Los valores de punto flotante inesperadamente largos provocarán que el programa escriba datos fuera de los límites de la memoria asignada, lo que puede dañar los datos, bloquear el programa o provocar la ejecución de código malintencionado.
Explanation
El buffer overflow es probablemente la forma más conocida de vulnerabilidad de seguridad de software. La mayoría de los desarrolladores de software saben lo que es una vulnerabilidad de buffer overflow, pero a menudo este tipo de ataques contra las aplicaciones existentes y desarrolladas recientemente son aún bastante habituales. Parte del problema se debe a la amplia variedad de formas en las que puede producirse un buffer overflow y otra parte se debe a las técnicas proclives a errores que a menudo se utilizan para evitarlas.

En un ataque de buffer overflow clásico, el usuario malintencionado envía datos a un programa, que los almacena en un búfer de pila demasiado pequeño. El resultado es que se sobrescribe la información de la pila de llamadas, incluido el puntero de devolución de la función. Los datos establecen el valor del puntero de devolución para que, cuando se devuelva la función, esta transfiera el control al código malicioso incluido en los datos del usuario malintencionado.

Aunque este tipo de buffer overflow de pila aún es frecuente en algunas plataformas y comunidades de desarrolladores, existen diversos tipos adicionales de buffer overflow, incluidos los desbordamientos del búfer de montón y los errores por uno ("off-by-one"), entre otros. Hay una serie de libros excelentes que ofrecen información detallada sobre cómo funcionan los ataques de buffer overflow, incluidos "Bilding Secure Software" [1], "Writing Secure Code" [2] y "The Shellcoder's Handbook" [3].

En el nivel de código, las vulnerabilidades de buffer overflow normalmente conllevan la infracción de las presuposiciones de un programador. Muchas funciones de manipulación de la memoria de C y C++ no realizan la comprobación de límites y pueden traspasar fácilmente los límites asignados de los búferes en los que operan. Incluso las funciones limitadas como, por ejemplo, strncpy(), pueden provocar vulnerabilidades cuando se utilizan incorrectamente. La combinación de manipulación de memoria y presuposiciones erróneas acerca del tamaño y la formación de una unidad de datos es el motivo principal de la mayoría de desbordamientos del búfer.

En este caso, una cadena de formato construida incorrectamente provoca que el programa escriba más allá de los límites de la memoria asignada.

Ejemplo 1: El código siguiente desborda buf porque, según el tamaño de f, el especificador de cadena de formato "%d %.1f ... " puede superar la cantidad de memoria asignada.


void formatString(int x, float f) {
   char buf[40];
   sprintf(buf, "%d %.1f ... ", x, f);
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 787
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 134
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_format_string_%f_%F

Buffer Overflow: Off-by-One

Abstract
El programa escribe justo fuera de los límites de la memoria asignada, que podría dañar los datos, bloquear el programa o provocar la ejecución de código malintencionado.
Explanation
El buffer overflow es probablemente la forma más conocida de vulnerabilidad de seguridad de software. La mayoría de los desarrolladores de software saben lo que es una vulnerabilidad de buffer overflow, pero a menudo este tipo de ataques contra las aplicaciones existentes y desarrolladas recientemente son aún bastante habituales. Parte del problema se debe a la amplia variedad de formas en las que puede producirse un buffer overflow y otra parte se debe a las técnicas proclives a errores que a menudo se utilizan para evitarlas.

En un ataque de buffer overflow clásico, el usuario malintencionado envía datos a un programa, que los almacena en un búfer de pila demasiado pequeño. El resultado es que se sobrescribe la información de la pila de llamadas, incluido el puntero de devolución de la función. Los datos establecen el valor del puntero de devolución para que, cuando se devuelva la función, esta transfiera el control al código malicioso incluido en los datos del usuario malintencionado.

Aunque este tipo de error por uno ("off-by-one") sigue siendo normal en algunas plataformas y comunidades de desarrollo, hay más tipos de buffer overflow, entre los que se incluyen los desbordamientos de búfer de pila y de montón. Hay una serie de libros excelentes que ofrecen información detallada sobre cómo funcionan los ataques de buffer overflow, incluidos "Bilding Secure Software" [1], "Writing Secure Code" [2] y "The Shellcoder's Handbook" [3].

En el nivel de código, las vulnerabilidades de buffer overflow normalmente conllevan la infracción de las presuposiciones de un programador. Muchas funciones de manipulación de la memoria de C y C++ no realizan la comprobación de límites y pueden traspasar fácilmente los límites asignados de los búferes en los que operan. Incluso las funciones limitadas como, por ejemplo, strncpy(), pueden provocar vulnerabilidades cuando se utilizan incorrectamente. La combinación de manipulación de memoria y presuposiciones erróneas acerca del tamaño y la formación de una unidad de datos es el motivo principal de la mayoría de desbordamientos del búfer.

Ejemplo 1: El código siguiente contiene un desbordamiento del búfer por una unidad, que se produce cuando recv devuelve el máximo de bytes leídos: sizeof(buf). En este caso, la siguiente desreferencia de buf[nbytes] escribirá el byte null fuera de los límites de memoria asignada.


void receive(int socket) {
   char buf[MAX];
   int nbytes = recv(socket, buf, sizeof(buf), 0);
   buf[nbytes] = '\0';
   ...
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 129, CWE ID 131, CWE ID 193, CWE ID 787, CWE ID 805
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [3] CWE ID 020, [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [3] CWE ID 020, [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787, [4] CWE ID 020, [17] CWE ID 119
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787, [4] CWE ID 020, [19] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787, [6] CWE ID 020, [17] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 18-0-5
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3, Rule 21.2.2
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[23] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[24] Standards Mapping - OWASP Top 10 2013 A1 Injection
[25] Standards Mapping - OWASP Top 10 2017 A1 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[39] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 805, Risky Resource Management - CWE ID 129, Risky Resource Management - CWE ID 131
[40] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 131
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3590.1 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_off_by_one

Buffer Overflow: Signed Comparison

Abstract
El programa usa una comparación con signo para comprobar un valor que posteriormente se trata como sin signo. Esto puede provocar que el programa escriba fuera de los límites de la memoria asignada, que podría dañar los datos, bloquear el programa o provocar la ejecución de código malintencionado.
Explanation
El buffer overflow es probablemente la forma más conocida de vulnerabilidad de seguridad de software. La mayoría de los desarrolladores de software saben lo que es una vulnerabilidad de buffer overflow, pero a menudo este tipo de ataques contra las aplicaciones existentes y desarrolladas recientemente son aún bastante habituales. Parte del problema se debe a la amplia variedad de formas en las que puede producirse un buffer overflow y otra parte se debe a las técnicas proclives a errores que a menudo se utilizan para evitarlas.

En un ataque de buffer overflow clásico, el usuario malintencionado envía datos a un programa, que los almacena en un búfer de pila demasiado pequeño. El resultado es que se sobrescribe la información de la pila de llamadas, incluido el puntero de devolución de la función. Los datos establecen el valor del puntero de devolución para que, cuando se devuelva la función, esta transfiera el control al código malicioso incluido en los datos del usuario malintencionado.

Aunque este tipo de buffer overflow de pila aún es frecuente en algunas plataformas y comunidades de desarrolladores, existen diversos tipos adicionales de buffer overflow, incluidos los desbordamientos del búfer de montón y los errores por uno ("off-by-one"), entre otros. Hay una serie de libros excelentes que ofrecen información detallada sobre cómo funcionan los ataques de buffer overflow, incluidos "Bilding Secure Software" [1], "Writing Secure Code" [2] y "The Shellcoder's Handbook" [3].

En el nivel de código, las vulnerabilidades de buffer overflow normalmente conllevan la infracción de las presuposiciones de un programador. Muchas funciones de manipulación de la memoria de C y C++ no realizan la comprobación de límites y pueden traspasar fácilmente los límites asignados de los búferes en los que operan. Incluso las funciones limitadas como, por ejemplo, strncpy(), pueden provocar vulnerabilidades cuando se utilizan incorrectamente. La combinación de manipulación de memoria y presuposiciones erróneas acerca del tamaño y la formación de una unidad de datos es el motivo principal de la mayoría de desbordamientos del búfer.

Ejemplo 1: El código siguiente intenta evitar un buffer overflow por una unidad comprobando que el valor no confiable leído desde getInputLength() tiene un tamaño menor que el de la output del búfer de destino. Sin embargo, como la comparación entre len y MAX tiene signo, si len es negativo, se convertirá en un número positivo muy largo cuando se convierta a un argumento sin signo para memcpy().


void TypeConvert() {
   char input[MAX];
   char output[MAX];

   fillBuffer(input);
   int len = getInputLength();

   if (len <= MAX) {
      memcpy(output, input, len);
   }
   ...
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 195, CWE ID 805
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [17] CWE ID 119
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [19] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [17] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 805
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3550 CAT I, APP3590.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3550 CAT I, APP3590.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3550 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3550 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3550 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3550 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3550 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_signed_comparison