[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Information Exposure Through Process Environment

ID: 214Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Extended Description

Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 		Read application data
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
  Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
 		  

Relationships

Related CWETypeViewChain
CWE-214 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the Java example below, the password for a keystore file is read from a system property. If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

Observed Examples

  1. CVE-2005-1387 : password passed on command line
  2. CVE-2005-2291 : password passed on command line
  3. CVE-2001-1565 : username/password on command line allows local users to view via "ps" or other process listing programs
  4. CVE-2004-1948 : Username/password on command line allows local users to view via "ps" or other process listing programs.
  5. CVE-1999-1270 : PGP passphrase provided as command line argument.
  6. CVE-2004-1058 : Kernel race condition allows reading of environment variables of a process that is still spawning.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Process information infoleak to other processes
 		 

References:
None

© SecPod Technologies