Merge pull request #18 from Ericsson/pr-11

Pr 11

CWE-664/CWE-134/README.md

@@ -122,7 +122,7 @@ if __name__ == "__main__":
 |:----|:----|:----|:----|:----|
 |ConsoleMe < 1.2.2|[CVE-2022-27177](https://www.cvedetails.com/cve/CVE-2022-27177/)|v3.1:9.8|A Python format string issue leading to information disclosure and potentially remote code execution.||
 |Zenoss Core < 4.2.5|[CVE-2014-6262](https://www.cvedetails.com/cve/CVE-2014-6262/) ZEN-15415|Multiple format string vulnerabilities in the python module in RRDtool allow remote attackers to execute arbitrary code or cause a denial of service using the rrdtool.graph function.|v3.1:7.5|related issue to CVE-2013-2131.|
-|RRDTool < 1.4.6|[CVE-2013-2131](https://www.cvedetails.com/cve/CVE-2013-2131/)|Format string vulnerability in the rrdtool module 1.4.7 for Python, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.||
+|RRDTool < 1.4.6|[CVE-2013-2131](https://www.cvedetails.com/cve/CVE-2013-2131/)|Format string vulnerability in the rrdtool module 1.4.7 for Python, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.|||
 
 ## Related Guidelines
 

CWE-664/CWE-410/README.md

@@ -68,8 +68,8 @@ print(f"ATTACKER: result_list = {result_list}")
 The `noncompliant01.py` code creates a risk of having a single component exhaust all available hardware resources even when used by a single user for a single use-case. When running the code, the Unix `top` command can show a significant increase in CPU usage (%CPU exceeds 100% because multiple cores are being used):
 
 ```bash
-PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND    
- 
+PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
+
 10806 user   20   0 9618068  18080   3516 S 238.2  0.1   0:08.16 python
 ```
 
@@ -101,7 +101,7 @@ def process_message(message: str):
 
 class MessageAPI(object):
     """Class simulating the front end facing API"""
-    # TODO: Prevent the attacker from creating multiple MessageAPI objects    
+    # TODO: Prevent the attacker from creating multiple MessageAPI objects
 
     def __init__(self):
         # TODO: set or handle timeout as it is provided by the mediation layer
@@ -139,7 +139,9 @@ result_list = mapi.add_messages(attacker_messages)
 print(f"ATTACKER: done sending {len(attacker_messages)} messages, got {len(result_list)} messages back")
 print(f"ATTACKER: result_list = {result_list}")
 ```
+
 Now, after the timeout is reached, `MessageAPI` drops unprocessed messages and returns partial results:
+
 ```bash
 ATTACKER: start sending messages
 INFO:root:add_messages: messages_done=34 messages_not_done=66
@@ -159,45 +161,45 @@ import logging
 import time
 from concurrent.futures import ThreadPoolExecutor
 from concurrent.futures import wait
- 
+
 logging.basicConfig(level=logging.INFO)
- 
- 
+
+
 def process_message(message: str):
     """ Method simulating mediation layer i/o heavy work"""
     logging.debug("process_message: started message   %s working %is", message, int(message) / 10)
     for _ in range(int(message)):
         time.sleep(0.01)
     logging.debug("process_message: completed message %s", message)
     return f"processed {message}"
- 
- 
+
+
 class MessageAPI(object):
     """Class simulating the front end facing API"""
- 
+
     def __init__(self):
         self.executor = ThreadPoolExecutor()
         self.timeout = 1
- 
+
     def add_messages(self, messages: list) -> list:
         """ Receives a list of messages to work on """
         futures = []
         for message in messages:
             futures.append(self.executor.submit(process_message, message))
- 
+
         logging.debug("add_messages: submitted %i messages, waiting for %is to complete.",
                       len(messages), self.timeout)
         messages_done, messages_not_done = wait(futures, timeout=self.timeout)
- 
+
         logging.info("add_messages: messages_done=%i messages_not_done=%i", len(messages_done),
                      len(messages_not_done))
- 
+
         process_messages = []
         for future in messages_done:
             process_messages.append(future.result())
         return process_messages
- 
- 
+
+
 #####################
 # exploiting above code example
 #####################
@@ -224,28 +226,28 @@ import logging
 import time
 from concurrent.futures import ThreadPoolExecutor
 from concurrent.futures import wait
- 
+
 logging.basicConfig(level=logging.INFO)
- 
- 
+
+
 def process_message(message: str):
     """ Method simulating mediation layer i/o heavy work"""
     logging.debug("process_message: started message   %s working %is", message, int(message) / 10)
     for _ in range(int(message)):
         time.sleep(0.01)
     logging.debug("process_message: completed message %s", message)
     return f"processed {message}"
- 
- 
+
+
 class MessageAPI(object):
     """Class simulating the front end facing API"""
     # TODO: Prevent the attacker from creating multiple MessageAPI objects
- 
+
     def __init__(self):
         # TODO: set or handle timeout as it is provided by the mediation layer
         self.timeout = 1
         self.executor = ThreadPoolExecutor()
- 
+
     def add_messages(self, messages: list) -> list:
         """ Receives a list of messages to work on """
         # TODO: limit on max messages from the mediation layer.
@@ -268,15 +270,15 @@ class MessageAPI(object):
                          len(messages_not_done))
         for future in messages_not_done:
             future.cancel()
- 
+
         logging.info("add_messages: messages_done=%i messages_not_done=%i", len(messages_done),
                      len(messages_not_done))
         process_messages = []
         for future in messages_done:
             process_messages.append(future.result())
         return process_messages
- 
- 
+
+
 #####################
 # exploiting above code example
 #####################

CWE-664/CWE-501/README.md

@@ -0,0 +1,49 @@
+# CWE-501: Trust Boundary Violation
+
+Python does not share the concept of different trust zones within the same runtime as explained in the *JAVA SEI CERT Rule 15 platform security (SEC)* [[SEI CERT 2022]](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683) rules. Python neither has a security manager that can control access between trusted and untrusted code running on the same JVM. “Private” instance variables that cannot be accessed except from inside an object don’t exist in Python [Python 2023].
+
+In Python we need to implement different trust zone's by starting  python runtime's with individual POSIX/Machine users. The POSIX/Machine user access rights must be set in accordance to level of trust per zone.
+
+## Noncompliant STRIDE example - New User Sign-up Process
+
+The example shows how new users sign up for a bank account. STRIDE illustrates trust boundaries in dotted red lines [[OWASP, Conklin,  Drake, 2023]](https://cwe.mitre.org/data/definitions/134.html). In the noncompliant example, we have all Python scripts running under the same POSIX user.
+
+![noncompliant01.png](noncompliant01.png "noncompliant01.png")
+
+Breaking the outer perimeter allows the attacker to run commands under the same privileges as the rest of the system.
+
+## Compliant STRIDE example - New User Sign-up Process
+
+The compliant solution has multiple layers of trust zones creating defense in depth. Each zone running their runtime environment under a different user. Crossing the red-dotted borders requires authentication and authorization.
+
+![compliant01.png](compliant01.png "compliant01.png")
+
+Layering security allows to secure the more sensitive parts of the system.
+
+## Automated Detection
+
+unknown
+
+## Related Vulnerabilities
+
+|Product|CVE|Description|CVSS Rating|Comment|
+|:----|:----|:----|:----|:----|
+|Zoom clients <= 5.13.5|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597/)|v3.1:8.3|A Python format string issue leading to information disclosure and potentially remote code execution.||
+
+## Related Guidelines
+
+|||
+|:---|:---|
+|[MITRE CWE](http://cwe.mitre.org/)|Pillar [CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Base [CWE - CWE-501: Trust Boundary Violation (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/501.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Base [CWE - CWE-306: Missing Authentication for Critical Function (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/306.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Class [CWE - CWE-269: Improper Privilege Management (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/269.html)|
+|[OWASP Top 10:2021](https://owasp.org/Top10/A04_2021-Insecure_Design/)|[A04 Insecure Design - OWASP Top 10:2021](https://owasp.org/Top10/A04_2021-Insecure_Design/)|
+
+## Bibliography
+
+|||
+|:---|:---|
+|[[SEI CERT 2022]](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683)|Rule 15. Platform Security (SEC). Available from: [SEI CERT](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487683) [accessed 07 May 2024]|
+|[[Python 2023]](https://docs.python.org/3.9/tutorial/classes.html?highlight=private#private-variables)|Python Software Foundation. (2023). Classes - Private Variables. Available from: [Python Documentation](https://docs.python.org/3.9/tutorial/classes.html?highlight=private#private-variables) [accessed 13 September 2023]|
+|[[OWASP, Conklin,  Drake, 2023]](https://cwe.mitre.org/data/definitions/134.html)|[CWE - CWE-134: Use of Externally-Controlled Format String (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/134.html)|

CWE-682/CWE-191/README.md

@@ -1,4 +1,3 @@
 # CWE-191, Integer Underflow (Wrap or Wraparound)
 
 PLACEHOLDER for # CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations link
-

README.md

@@ -45,7 +45,8 @@ It is **not production code** and requires code-style or python best practices t
 |[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)||
 |[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/.)||
 |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/.)||
-|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/README.md)||
+|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)||
+|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)||
 |[CWE-665: Improper Initialization](CWE-664/CWE-665/.)||
 |[CWE-681: Improper Control of a Resource Through its Lifetime](CWE-664/CWE-681/.)||
 |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)||