2

I am in the process of writing up a vulnerability report for a thick client application. One of the findings for the executable is ASLR being disabled. As part of reporting, I'm required to provide a CWE to the client that best describes the vulnerability. I can't seem to find a strong CWE that describes ASLR being disabled.

Some of my co-workers have used http://cwe.mitre.org/data/definitions/119.html but that is just wrong, as that CWE does not describe anything along the lines of the randomization that ASLR tries to perform.

What CWE have people used in the past?

Thanks in advanced.

eliteparakeet
  • 243
  • 2
  • 7

2 Answers2

2

CWE doesn't enlist lack of ASLR explicitly as an entry, but I believe it definitely comes under "Security Misconfiguration" CWE-815 as Rook has stated above.

Additionally, I wanted to add that Buffer Access Using Size of Source Buffer CWE-806 clearly recommends it as one of multiple necessary measures for system hardening against overflow based attacks. The exact statement is as follows:-

Phase: Operation
Strategy: Environment Hardening
Use a feature like Address Space Layout Randomization (ASLR) [R.806.3] [R.806.5].
Effectiveness: Defense in Depth
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Also, although the OWASP Project identifies it as a Wiki Page and weakness, it doesn't state which category it falls under at this point of time (Seems like a good thing to contribute to). :( Ref: https://www.owasp.org/index.php/Address_space_layout_randomization_%28ASLR%29

Rohan
  • 2,331
  • 17
  • 19
1

Despite having thousands of entries, the CWE system is not granular enough to express this specific violation. However, there are more general CWE families that could help. CWE-2: Environment looks like the right parent node, or perhaps CWE-815 Security Misconfiguration would be more exact.

rook
  • 47,238
  • 10
  • 96
  • 182
  • Thanks Rook. I've looked at a few of those, but decided to go with http://cwe.mitre.org/data/definitions/693.html. Although I wouldn't say ASLR is "sufficient defense" like the CWE site says, but it definitely is something that helps exploit mitigation. In my opinion MITRE should update their CWE list to contain an entry for compile time issues such as ASLR, DEP, etc. – eliteparakeet Jul 10 '13 at 16:17
  • 2
    @eliteparakeet You could email them the suggestion, they like hearing new suggestions. The CWE system is built to help us, and they like our feedback. – rook Jul 10 '13 at 16:33