Base weakness

Draft

CWE-390: Detection of Error Condition Without Action

The product detects a specific error, but takes no actions to handle the error.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-390 (Detection of Error Condition Without Action) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed.

Vulnerable example

foo=malloc(sizeof(char)); //the next line checks to see if malloc failed

Safe example

foo=malloc(sizeof(char)); //the next line checks to see if malloc failed

In the following C++ example the method readFile() will read the file whose name is provided in the input parameter and will return the contents of the file in char string. The method calls open() and read() may result in errors if the file does not exist or does not contain any data to read. These errors will be thrown when the is_open() method and good() method indicate errors opening or reading the file. However, these errors are not handled within the catch statement. Catch statements that do not perform any processing will have unexpected results. In this case an empty char string will be returned, and the file will not be properly closed.

Vulnerable example

cpp

char* readfile (char *filename) {

Safe example

cpp

char* readFile (char *filename) {

The catch statement should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following C++ example contains two catch statements. The first of these will catch a specific error thrown within the try block, and the second catch statement will catch all other errors from within the catch block. Both catch statements will notify the user that an error has occurred, close the file, and rethrow to the block that called the readFile() method for further handling or possible termination of the program.

In the following Java example the method readFile will read the file whose name is provided in the input parameter and will return the contents of the file in a String object. The constructor of the FileReader object and the read method call may throw exceptions and therefore must be within a try/catch block. While the catch statement in this example will catch thrown exceptions in order for the method to compile, no processing is performed to handle the thrown exceptions. Catch statements that do not perform any processing will have unexpected results. In this case, this will result in the return of a null String.

Vulnerable example

java

public String readFile(String filename) {

Safe example

java

public String readFile(String filename) throws FileNotFoundException, IOException, Exception {

The catch statement should contain statements that either attempt to fix the problem, notify the user that an exception has been raised and continue processing, or perform some cleanup and gracefully terminate the program. The following Java example contains three catch statements. The first of these will catch the FileNotFoundException that may be thrown by the FileReader constructor called within the try/catch block. The second catch statement will catch the IOException that may be thrown by the read method called within the try/catch block. The third catch statement will catch all other exceptions thrown within the try block. For all catch statements the user is notified that the exception has been thrown and the exception is rethrown to the block that called the readFile() method for further processing or possible termination of the program. Note that with Java it is usually good practice to use the getMessage() method of the exception class to provide more information to the user about the exception raised.

CWE-390: Detection of Error Condition Without Action

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-390?

What CVEs are caused by CWE-390?

How do you prevent CWE-390?

How is CWE-390 detected?

What are the consequences of CWE-390?

Is CWE-390 actively exploited?

References

Stay ahead of CWE-390

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Can precede

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-390?

What CVEs are caused by CWE-390?

How do you prevent CWE-390?

How is CWE-390 detected?

What are the consequences of CWE-390?

Is CWE-390 actively exploited?

References

Stay ahead of CWE-390