CWE-456: Missing Initialization of a Variable

Export to Word

Description

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2020-6078

Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
CVE: CVE-2019-3836

Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
CVE: CVE-2018-14641

Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
CVE: CVE-2009-2692

Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
CVE: CVE-2020-20739

A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
CVE: CVE-2005-2978

Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
CVE: CVE-2005-2109

Internal variable in PHP application is not initialized, allowing external modification.
CVE: CVE-2005-2193

Array variable not initialized in PHP application, leading to resultant SQL injection.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State, Quality Degradation, Varies by Context — Notes: The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.

Potential Mitigations

Implementation: Check that critical variables are initialized. (N/A)
Testing: Use a static analysis tool to spot non-initialized variables. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This function attempts to extract a pair of numbers from a user-supplied string.

Body: This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:

void parse_data(char *untrusted_input){ int m, n, error; error = sscanf(untrusted_input, "%d:%d", &m, &n); if ( EOF == error ){ die("Did not specify integer value. Die evil hacker!\n"); } /* proceed assuming n and m are initialized correctly */ }

Intro: Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

private User user; public void someMethod() { // Do something interesting. ... // Throws NPE if user hasn't been properly initialized. String username = user.getName(); }

Intro: This code first authenticates a user, then allows a delete command if the user is an administrator.

Body: The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

if (authenticate($username,$password) && setAdmin($username)){ $isAdmin = true; } /.../ if ($isAdmin){ deleteUser($userToDelete); }

Intro: In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.

Body: However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.

public class BankManager { // user allowed to perform bank manager tasks private User user = null; private boolean isUserAuthentic = false; // constructor for BankManager class public BankManager() { ... } // retrieve user from database of users public User getUserFromUserDatabase(String username){ ... } // set user variable using username public void setUser(String username) { this.user = getUserFromUserDatabase(username); } // authenticate user public boolean authenticateUser(String username, String password) { if (username.equals(user.getUsername()) && password.equals(user.getPassword())) { isUserAuthentic = true; } return isUserAuthentic; } // methods for performing bank manager tasks ... }

Intro: This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.

Body: When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:

char *test_string; if (i != err_val) { test_string = "Hello World!"; } printf("%s", test_string);

Intro: Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.

Body: In PgServiceResolver.java, when pgType is "card" indicating a card payment, orderPgData.validateAmount() is not called - that is, the amount is not validated to be the same as the expected price. Since isPaymentAmountTampered is declared as a private boolean, but it is not initialized, it is forcibly initialized to false by the Java compiler [REF-1476]. If the adversary modifies the price, e.g., changing paymentAmount from 100 to 10, then no validation is performed. Since isPaymentAmountTampered is "false" because of the default initialization, the code finishes processing the payment because it does not believe that the amount has been changed.

File: OrderPgData.java public class OrderPgData { String PgType; int productPrice; int paymentAmount; private boolean isPaymentAmountTampered; public boolean getIsPaymentAmountTampered() { return this.isPaymentAmountTampered; } ... public void validateAmount() { ... [sets this.setIsPaymentAmountTampered to true or false depending on whether the product price matches the payment amount] }

Notes

Relationship: This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.
Research Gap: It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.

← Back to CWE list