To get a trial key
fill out the form below
Team License (standard version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Potential Vulnerability

Potential Vulnerability

Jun 03 2021

A potential vulnerability (security weakness) is an error in program code that can lead to a vulnerability. This happens when an attacker finds a way to exploit an error and affect program behavior.

Terminology

A software error (bug) causes a program to behave unexpectedly. Such bugs can remain hidden in a program. An attacker can exploit such errors, then it becomes a vulnerability. Vulnerabilities most often arise from common software errors, not from high-level security failures.

The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.

A potential vulnerability is a code error that hackers can exploit. Other terms: a security defect, a security weakness. Common Weakness Enumeration (CWE) is a list of dangerous weaknesses. So, if you have an error that fits the CWE list, you are dealing with a potential vulnerability.

A vulnerability refers to an error in a system that can be used for malicious purposes. The Common Vulnerabilities and Exposures (CVE) system provides a database of publicly known security vulnerabilities.

A zero-day vulnerability is an unknown flaw or vulnerability. Due to such a vulnerability, hackers can take over a system, use a remote desktop control, get access to your data, and so on. A zero-day attack happens when attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability – hence "zero-day".

SAST (Static Application Security Testing) is a testing methodology that analyzes source code to find security vulnerabilities. We'll discuss SAST tools in detain below.

Vulnerabilities vs. Potential Vulnerabilities

Authors of articles and documentation on static code analyzers often confuse potential vulnerability and vulnerability. Perhaps writers just don't know the difference, or maybe they intentionally make the description more intimidating.

Here's an example of such a description:

The static analyzer found a vulnerability. A buffer overflow may occur here...

But this is not yet a vulnerability. This error is very likely to crash a program, but an attacker can't exploit such a bug. It has a low impact on a program, for example, it may cause discoloration of some GUI element.

A vulnerability occurs only when cybercriminals create an exploit to gain unauthorized access to a computer system. At first, we must understand whether we have a harmless bug or a vulnerability. Until then, we are dealing with a potential vulnerability.

We don't want to exaggerate and brag that the PVS-Studio analyzer found hundreds of vulnerabilities. Our tool searches for potential vulnerabilities. It's very unlikely that hackers could exploit them because it takes a lot of effort, time and skills to build an exploit. Although we constantly learn about new vulnerabilities, they still appear rarely. Meanwhile, PVS-Studio regularly finds thousands of errors in applications.

Note. If you use PVS-Studio as a plugin for SonarQube, some warnings get into the "Vulnerabilities" section. In fact, these are not vulnerabilities but potential vulnerabilities. SonarQube developers use the term vulnerability for significant defects.

Now we know why there's no need to call each error a vulnerability. However, a bugless app is the best app. So, don't hesitate to fix an error right away. Otherwise, some bad actor could exploit a bug in your code and create a new vulnerability. (i.e., you'll have a zero-day vulnerability).

An example of a potential vulnerability

The CWE database describes an "unreachable code" error as CWE-561, which means it is a potential vulnerability. A potential vulnerability may well be a harmless bug from security standpoint. But let's check its chances of becoming a critical vulnerability.

Take a look at a code snippet from the Vangers: One For The Road game (click here for further details).

void uvsVanger::break_harvest(void){
  ....

  pg = Pworld -> escT[0] -> Pbunch 
    -> cycleTable[Pworld -> escT[0] -> Pbunch -> currentStage].Pgame;

  if (!pg) {
    return;
    ErrH.Abort("uvsVanger::break_harvest : don't know where to go ");
  }
  
  ....
}

PVS-Studio warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.

If an error occurs, the break_harvest function must write a message to the log. Then, the function finishes. The programmer puts the message to the log data after the return statement by accident. The debug warning does not get into the log. It's definitely better to fix such an issue. However, you can't call it a vulnerability.

Now let's take a look at the error that caused the vulnerability in iOS.

Vulnerability Description CVE-2014-1266: The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, 
                                 bool isRsa, 
                                 SSLBuffer signedParams,
                                 uint8_t *signature, 
                                 UInt16 signatureLen)
{
  OSStatus err;
  ....

  if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
  if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;
  if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;
  ....

fail:
  SSLFreeBuffer(&signedHashes);
  SSLFreeBuffer(&hashCtx);
  return err;
}

Please note that PVS-Studio issues the same warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.

The double goto made a part of the code unreachable. Even if the err variable is null, the transition to the fail label occurs. That's why, a signature verification does not happen. The function returns 0, which indicates that the problem is not in the signature. Then, the program gets the server key, even if there are problems with the signature. This key encrypts data during transmission.

So, here the same potential vulnerability turns out to be a critical vulnerability.

Conclusion. It's clear that such error in a game is non-fatal in terms of security. But it may become fatal. Therefore, don't try to guess whether an error is dangerous. It's always better to fix a bug.

SAST: in search of vulnerabilities and potential vulnerabilities

There are two types of SAST tools.

Analyzers of the first type search for known vulnerabilities. They operate pretty much like antivirus software. Such analyzers detect common vulnerabilities (CVE) in code fragments.

Some old libraries may contain a known vulnerability. If a programmer used such a library, an analyzer would find a vulnerability. Database search tools almost do not issue false positives. However, they can't find errors in new code (zero-day vulnerabilities).

Analyzers of the second type search for zero-day vulnerabilities. Suppose an application contains a hidden error. If a hacker finds such a bug, they may create a new vulnerability.

Analyzers of the second type detect errors that are likely to cause a vulnerability. CWE provides a large list of such error patterns. Many analyzer developers use CWE as a guide.

The PVS-Studio analyzer is a SAST tool of the second type. It can classify warnings according to CWE. In other words, PVS-Studio prevents zero-day vulnerabilities.

Additional links

Popular related articles
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…

Comments (0)

Next comments

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept