[EXT] Re: Cross-configuration attacks

2021-09-24 Thread Fredrick Omeniho
You are right on spec not been comprehensive enough and most of this issue arise because the industry is embracing agile while attempting to drop waterfall. Both methodologies should be adopted and given priorities at different phases of the project cycle. Planning is crucial but most industry

Re: Cross-configuration attacks

2021-09-24 Thread Kerry Crouse
Frequently, items are not "out-of-spec" but the spec is simply not comprehensive enough - a corner case has been missed, for instance. Kerry Kerry Crouse The MITRE Corporation 781-271-2061 From: Kurt Seifried Sent: Friday, September 24, 2021

RE: Cross-configuration attacks

2021-09-24 Thread Paul.Wortman
I would seem, in my opinion and take on this matter, that it really boils down to human assumptions on functionality and ability. This could be incorporated in CWE-1053 (Missing Documentation for Design) since the fault seems to come from an assumption of behavior (e.g. challenge/response).

Re: Cross-configuration attacks

2021-09-24 Thread Kurt Seifried
On Thu, Sep 23, 2021 at 11:02 PM Steven M Christey wrote: > Just a couple quick comments since it’s late for me :) > > > > CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities > seems to cover the original question. CWE-435’s description says “An > interaction error occurs

Re: Cross-configuration attacks

2021-09-24 Thread SebastianGanson
About configurations, I’m still scratching my head about where PrintNightmare’s “Insecure by design” would fall (fail?). Best, Sebastian > On Sep 24, 2021, at 1:01 AM, Steven M Christey wrote: > >  > Just a couple quick comments since it’s late for me :) > > CWE-435: Improper Interaction

CWE 129 - Example 3

2021-09-24 Thread John Thomas
Hi, I am not sure this is the proper place to make suggestions on CWE examples, but I have noticed a problem with CWE 129 - Example 3 (This is also a problem with CWE 125 - Example 1, and CWE 839 - Example 3). In each of the examples, the bad code has an insufficient check for out-of-bounds

RE: Cross-configuration attacks

2021-09-24 Thread Steven M Christey
CWE-274 is about when software “incorrectly handles when it has insufficient privileges to perform an operation” which appears to be a relatively rare phenomenon. See the CVE examples – for example, CVE-2001-1564 is about the product trying to enforce resource limits after dropping privileges,

Re: Cross-configuration attacks

2021-09-24 Thread Steve Battista
Print nightmare allows for non admins to install a driver that runs as admin. Current patch partially fixes this. I would vote for CWE-274. Get Outlook for iOS From: SebastianGanson Sent: Friday, September 24, 2021 4:28:07 AM To: Steven M

RE: Cross-configuration attacks

2021-09-24 Thread John Thomas
I think the issue here is the ambiguity in the behavior. If App A knows App B’s behavior fully and with no ambiguity and App B knows how App A will respond fully and with no ambiguity, then it’s unlikely to be a problem. The issue is that with the ambiguity, App A cannot fully know/anticipate

RE: Cross-configuration attacks

2021-09-24 Thread Kanuparthi, Arun
CWE-1197 (Integration Issues) and CWE-1276 (Hardware Child Block Incorrectly Connected to Parent System) can cover these kinds of issues – where the both the individual IPs/blocks are fine by