CWE-457 Detail

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

Modes Of Introduction

Implementation : In C, using an uninitialized char * in some string libraries will return incorrect results, as the libraries expect the null terminator to always be at the end of a string, even if the string is empty.

Applicable Platforms

Language

Name: C (Sometimes)
Name: C++ (Sometimes)
Name: Perl (Often)
Name: PHP (Often)
Class: Not Language-Specific (Undetermined)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Implementation
Assign all variables to an initial value.
Phases : Build and Compilation
Most compilers will complain about the use of uninitialized variables if warnings are turned on.
Phases : Implementation // Operation
When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
Phases : Requirements
The choice could be made to use a language that is not susceptible to these issues.
Phases : Architecture and Design
Mitigating technologies such as safe string libraries and container abstractions could be introduced.

Detection Methods

Fuzzing

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiveness : High

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-436

Exploiting Uninitialized Data
mercy.
http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip

REF-437

MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability
Microsoft Security Vulnerability Research & Defense.
https://msrc.microsoft.com/blog/2008/03/ms08-014-the-case-of-the-uninitialized-stack-variable-vulnerability/

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Modifications