CWE-1419: Incorrect Initialization of Resource

Description

The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.

Submission Date :

Oct. 11, 2023, midnight

Modification Date :

NONE

Organization :

MITRE
Extended Description

This can have security implications when the associated resource is expected to have certain properties or values. Examples include a variable that determines whether a user has been authenticated or not, or a register or fuse value that determines the security state of the product.

For software, this weakness can frequently occur when implicit initialization is used, meaning the resource is not explicitly set to a specific value. For example, in C, memory is not necessarily cleared when it is allocated on the stack, and many scripting languages use a default empty, null value, or zero value when a variable is not explicitly initialized.

For hardware, this weakness frequently appears with reset values and fuses. After a product reset, hardware may initialize registers incorrectly. During different phases of a product lifecycle, fuses may be set to incorrect values. Even if fuses are set to correct values, the lines to the fuse could be broken or there might be hardware on the fuse line that alters the fuse value to be incorrect.

Example Vulnerable Codes

Example - 1

Consider example design module system verilog code shown below. The register_example module is an example parameterized module that defines two parameters, REGISTER_WIDTH and REGISTER_DEFAULT. Register_example module defines a Secure_mode setting, which when set makes the register content read-only and not modifiable by software writes. register_top module instantiates two registers, Insecure_Device_ID_1 and Insecure_Device_ID_2. Generally, registers containing device identifier values are required to be read only to prevent any possibility of software modifying these values. 




Data_out <= REGISTER_DEFAULT; // Register content set to Default at reset Secure_mode <= REGISTER_DEFAULT[0]; // Register Secure_mode set at reset 

Data_out <= Data_in; 
if (~resetn) begin end else if (write & ~Secure_mode) begin end 

.REGISTER_WIDTH (32), .REGISTER_DEFAULT (1224) // Incorrect Default value used bit 0 is 0. 

.Data_in (Data_in), .Data_out (Secure_reg), .Clk (Clk), .resetn (resetn), .write (write) 

.REGISTER_WIDTH (32) // Default not defined 2^32-2 value will be used as default. 

.Data_in (Data_in), .Data_out (Insecure_reg), .Clk (Clk), .resetn (resetn), .write (write) 
// Parameterized Register module example // Secure_mode : REGISTER_DEFAULT[0] : When set to 1 register is read only and not writable// module register_example #( parameter REGISTER_WIDTH = 8, // Parameter defines width of register, default 8 bits parameter [REGISTER_WIDTH-1:0] REGISTER_DEFAULT = 2**REGISTER_WIDTH -2 // Default value of register computed from Width. Sets all bits to 1s except bit 0 (Secure _mode) ) ( input [REGISTER_WIDTH-1:0] Data_in, input Clk, input resetn, input write, output reg [REGISTER_WIDTH-1:0] Data_out ); reg Secure_mode; always @(posedge Clk or negedge resetn) endmodule module register_top ( input Clk, input resetn, input write, input [31:0] Data_in, output reg [31:0] Secure_reg, output reg [31:0] Insecure_reg ); register_example #( ) Insecure_Device_ID_1 ( ); register_example #() Insecure_Device_ID_2 ( ); endmodule

These example instantiations show how, in a hardware design, it would be possible to instantiate the register module with insecure defaults and parameters.

In the example design, both registers will be software writable since Secure_mode is defined as zero. 



.REGISTER_WIDTH (32), .REGISTER_DEFAULT (1225) // Correct default value set, to enable Secure_mode 

.Data_in (Data_in), .Data_out (Secure_reg), .Clk (Clk), .resetn (resetn), .write (write) register_example #( ) Secure_Device_ID_example ( );

Example - 2

This code attempts to login a user using credentials from a POST request:


// // $user and $pass automatically set from POST request// 
$authorized = true;
// ...// 
generatePage();if (login_user($user,$pass)) {}if ($authorized) {}

Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.

Here is a fixed version:


$authorized = true;
// ...// 
$user = $_POST['user'];$pass = $_POST['pass'];$authorized = false;if (login_user($user,$pass)) {}

This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-454: External Initialization of Trusted Variables or Data Stores
Go to
CWE-665: Improper Initialization
Go to
CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
Go to
CWE-1052: Excessive Use of Hard-Coded Literals in Initialization
Go to
CWE-1188: Initialization of a Resource with an Insecure Default
Go to
CWE-1221: Incorrect Register Defaults or Module Parameters
Go to

Visit http://cwe.mitre.org/ for more details.