CWE-405 Détail

CWE-405

Nom

Asymmetric Resource Consumption (Amplification)

Statut

Incomplete

Publié

2006-07-19
00h00 +00:00

Modifié

2024-02-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Description du CWE

This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.

Informations générales

Modes d'introduction

Architecture and Design
Implementation
Operation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Class: Client Server (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Availability	DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other) Note: Sometimes this is a factor in "flood" attacks, but other types of amplification exist.	High

Exemples observés

Références	Description
CVE-1999-0513	Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
CVE-2003-1564	Parsing library allows XML bomb
CVE-2004-2458	Tool creates directories before authenticating user.
CVE-2020-10735	Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243	server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2013-5211	composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
CVE-2002-20001	Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
CVE-2022-40735	The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.

Mesures d’atténuation potentielles

Phases : Architecture and Design
An application must make resources available to a client commensurate with the client's access level.
Phases : Architecture and Design
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Phases : System Configuration
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

Références

REF-1164

Catastrophic backtracking
Ilya Kantor.
https://javascript.info/regexp-catastrophic-backtracking

Soumission

Nom	Organisation	Date	Date de publication	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2009-07-27 +00:00	updated Common_Consequences, Other_Notes
CWE Content Team	MITRE	2010-02-16 +00:00	updated Taxonomy_Mappings
CWE Content Team	MITRE	2010-12-13 +00:00	updated Description
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2011-06-27 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Functional_Areas
CWE Content Team	MITRE	2019-01-03 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Time_of_Introduction
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes, Relationships
CWE Content Team	MITRE	2024-02-29 +00:00	updated Demonstrative_Examples

Détail du CWE-405