to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Potential Vulnerability

Potential Vulnerability

Jun 03 2021

A potential vulnerability (security weakness) is an error in program code that can lead to a vulnerability. This happens when an attacker finds a way to exploit an error and affect program behavior.

Terminology

A software error (bug) causes a program to behave unexpectedly. Such bugs can remain hidden in a program. An attacker can exploit such errors, then it becomes a vulnerability. Vulnerabilities most often arise from common software errors, not from high-level security failures.

The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.

A potential vulnerability is a code error that hackers can exploit. Other terms: a security defect, a security weakness. Common Weakness Enumeration (CWE) is a list of dangerous weaknesses. So, if you have an error that fits the CWE list, you are dealing with a potential vulnerability.

A vulnerability refers to an error in a system that can be used for malicious purposes. The Common Vulnerabilities and Exposures (CVE) system provides a database of publicly known security vulnerabilities.

A zero-day vulnerability is an unknown flaw or vulnerability. Due to such a vulnerability, hackers can take over a system, use a remote desktop control, get access to your data, and so on. A zero-day attack happens when attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability – hence "zero-day".

SAST (Static Application Security Testing) is a testing methodology that analyzes source code to find security vulnerabilities. We'll discuss SAST tools in detain below.

Vulnerabilities vs. Potential Vulnerabilities

Authors of articles and documentation on static code analyzers often confuse potential vulnerability and vulnerability. Perhaps writers just don't know the difference, or maybe they intentionally make the description more intimidating.

Here's an example of such a description:

The static analyzer found a vulnerability. A buffer overflow may occur here...

But this is not yet a vulnerability. This error is very likely to crash a program, but an attacker can't exploit such a bug. It has a low impact on a program, for example, it may cause discoloration of some GUI element.

A vulnerability occurs only when cybercriminals create an exploit to gain unauthorized access to a computer system. At first, we must understand whether we have a harmless bug or a vulnerability. Until then, we are dealing with a potential vulnerability.

We don't want to exaggerate and brag that the PVS-Studio analyzer found hundreds of vulnerabilities. Our tool searches for potential vulnerabilities. It's very unlikely that hackers could exploit them because it takes a lot of effort, time and skills to build an exploit. Although we constantly learn about new vulnerabilities, they still appear rarely. Meanwhile, PVS-Studio regularly finds thousands of errors in applications.

Note. If you use PVS-Studio as a plugin for SonarQube, some warnings get into the "Vulnerabilities" section. In fact, these are not vulnerabilities but potential vulnerabilities. SonarQube developers use the term vulnerability for significant defects.

Now we know why there's no need to call each error a vulnerability. However, a bugless app is the best app. So, don't hesitate to fix an error right away. Otherwise, some bad actor could exploit a bug in your code and create a new vulnerability. (i.e., you'll have a zero-day vulnerability).

An example of a potential vulnerability

The CWE database describes an "unreachable code" error as CWE-561, which means it is a potential vulnerability. A potential vulnerability may well be a harmless bug from security standpoint. But let's check its chances of becoming a critical vulnerability.

Take a look at a code snippet from the Vangers: One For The Road game (click here for further details).

void uvsVanger::break_harvest(void){
  ....

  pg = Pworld -> escT[0] -> Pbunch 
    -> cycleTable[Pworld -> escT[0] -> Pbunch -> currentStage].Pgame;

  if (!pg) {
    return;
    ErrH.Abort("uvsVanger::break_harvest : don't know where to go ");
  }
  
  ....
}

PVS-Studio warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.

If an error occurs, the break_harvest function must write a message to the log. Then, the function finishes. The programmer puts the message to the log data after the return statement by accident. The debug warning does not get into the log. It's definitely better to fix such an issue. However, you can't call it a vulnerability.

Now let's take a look at the error that caused the vulnerability in iOS.

Vulnerability Description CVE-2014-1266: The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, 
                                 bool isRsa, 
                                 SSLBuffer signedParams,
                                 uint8_t *signature, 
                                 UInt16 signatureLen)
{
  OSStatus err;
  ....

  if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
  if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;
  if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;
  ....

fail:
  SSLFreeBuffer(&signedHashes);
  SSLFreeBuffer(&hashCtx);
  return err;
}

Please note that PVS-Studio issues the same warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.

The double goto made a part of the code unreachable. Even if the err variable is null, the transition to the fail label occurs. That's why, a signature verification does not happen. The function returns 0, which indicates that the problem is not in the signature. Then, the program gets the server key, even if there are problems with the signature. This key encrypts data during transmission.

So, here the same potential vulnerability turns out to be a critical vulnerability.

Conclusion. It's clear that such error in a game is non-fatal in terms of security. But it may become fatal. Therefore, don't try to guess whether an error is dangerous. It's always better to fix a bug.

SAST: in search of vulnerabilities and potential vulnerabilities

There are two types of SAST tools.

Analyzers of the first type search for known vulnerabilities. They operate pretty much like antivirus software. Such analyzers detect common vulnerabilities (CVE) in code fragments.

Some old libraries may contain a known vulnerability. If a programmer used such a library, an analyzer would find a vulnerability. Database search tools almost do not issue false positives. However, they can't find errors in new code (zero-day vulnerabilities).

Analyzers of the second type search for zero-day vulnerabilities. Suppose an application contains a hidden error. If a hacker finds such a bug, they may create a new vulnerability.

Analyzers of the second type detect errors that are likely to cause a vulnerability. CWE provides a large list of such error patterns. Many analyzer developers use CWE as a guide.

The PVS-Studio analyzer is a SAST tool of the second type. It can classify warnings according to CWE. In other words, PVS-Studio prevents zero-day vulnerabilities.

Additional links

Comments (0)

Next comments next comments
close comment form
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.
Accept