CWE-413: Improper Resource Locking

Description

The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

Extended Description

When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2022-20141

Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A

Common Consequences

Impact: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart — Notes:

Potential Mitigations

Architecture and Design: Use a non-conflicting privilege scheme. (N/A)
Architecture and Design: Use synchronization when locking a resource. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: The following function attempts to acquire a lock in order to perform operations on a shared resource.

Body: However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }

Intro: This Java example shows a simple BankAccount class with deposit and withdraw methods.

Body: However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.

public class BankAccount { // variable for bank account balance private double accountBalance; // constructor for BankAccount public BankAccount() { accountBalance = 0; } // method to deposit amount into BankAccount public void deposit(double depositAmount) { double newBalance = accountBalance + depositAmount; accountBalance = newBalance; } // method to withdraw amount from BankAccount public void withdraw(double withdrawAmount) { double newBalance = accountBalance - withdrawAmount; accountBalance = newBalance; } // other methods for accessing the BankAccount object ... }

Notes

No notes available.

← Back to CWE list