CWE Reference
CWE-125: Out-of-bounds Read
Official CWE-125 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Release 4.20weaknessDraft
Glexia's Take
CWE-125: OOB read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality: Read Memory: An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks.
- Confidentiality: Bypass Protection Mechanism: Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution.
- Availability: DoS: Crash, Exit, or Restart: An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer. This is especially likely when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string.
- Other: Varies by Context: The read operation could produce other undefined or unexpected results.
Developer Pattern
CWE-125 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-125, 4.20.
Official CWE Definition
CWE-125: Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.
- In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing. However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (CWE-606). If msgLength indicates a length that is longer than the size of a message body (CWE-130), then this can result in a buffer over-read by reading past the end of the buffer (CWE-126).
Remediation
- Implementation: [object Object]
- Architecture and Design: Use a language that provides appropriate memory abstractions.
Detection
- Fuzzing: Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- Automated Dynamic Analysis: Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-126: Buffer Over-read
- CWE-127: Buffer Under-read
- CWE-822: Untrusted Pointer Dereference
- CWE-823: Use of Out-of-range Pointer Offset
- CWE-824: Access of Uninitialized Pointer
- CWE-825: Expired Pointer Dereference
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.