1. Home
  2. CWE Database
  3. CWE-405
Class · High

CWE-405: Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or othe...

CWE-405 · Class Level ·8 CVEs ·3 Mitigations

Description

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.

Potential Impact

Availability

DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Demonstrative Examples

This code listens on a port for DNS requests and sends the result to the requesting address.
Bad
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true:
                        data = sock.recvfrom(1024)if not data:break
                           (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record)
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
This function prints the contents of a specified file requested by a user.
Bad
function printFile($username,$filename){
                        
                           
                           //read file into string
                           $file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){echo $file;return true;}else{echo 'You are not authorized to view this file';}return false;
                     }
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Attack
<?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data>
This example attempts to check if an input string is a "sentence" [REF-1164].
Bad
var test_string = "Bad characters: $@#";
               var bad_pattern  = /^(\w+\s?)*$/i;
               var result = test_string.search(bad_pattern);
Good
var test_string = "Bad characters: $@#";
               var good_pattern  = /^((?=(\w+))\2\s?)*$/i;
               var result = test_string.search(good_pattern);
Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

Mitigations & Prevention

Architecture and Design

An application must make resources available to a client commensurate with the client's access level.

Architecture and Design

An application must, at all times, keep track of allocated resources and meter their usage appropriately.

System Configuration High

Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Real-World CVE Examples

CVE IDDescription
CVE-1999-0513Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
CVE-2003-1564Parsing library allows XML bomb
CVE-2004-2458Tool creates directories before authenticating user.
CVE-2020-10735Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2013-5211composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
CVE-2002-20001Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular expone
CVE-2022-40735The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Taxonomy Mappings

  • PLOVER: — Asymmetric resource consumption (amplification)
  • OWASP Top Ten 2004: A9 — Denial of Service
  • WASC: 41 — XML Attribute Blowup
  • The CERT Oracle Secure Coding Standard for Java (2011): TPS00-J — Use thread pools to enable graceful degradation of service during traffic bursts
  • The CERT Oracle Secure Coding Standard for Java (2011): FIO04-J — Release resources when they are no longer needed

Frequently Asked Questions

What is CWE-405?

CWE-405 (Asymmetric Resource Consumption (Amplification)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or othe...

How can CWE-405 be exploited?

Attackers can exploit CWE-405 (Asymmetric Resource Consumption (Amplification)) to dos: amplification, dos: resource consumption (cpu), dos: resource consumption (memory), dos: resource consumption (other). This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-405?

Key mitigations include: An application must make resources available to a client commensurate with the client's access level.

What is the severity of CWE-405?

CWE-405 is classified as a Class-level weakness (High abstraction). It has been observed in 8 real-world CVEs.