Description
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Potential Impact
Integrity, Availability, Confidentiality, Other
Execute Unauthorized Code or Commands, Alter Execution Logic, Other
Demonstrative Examples
URL[] classURLs= new URL[]{new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader);//assume the password is already encrypted, avoiding CWE-312
function authenticate($username,$password){
include("http://external.example.com/dbInfo.php");
//dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available
mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');mysql_select_db($dbname);$query = 'Select * from users where username='.$username.' And password='.$password;$result = mysql_query($query);
if(mysql_numrows($result) == 1){mysql_close();return true;}else{mysql_close();return false;}
}Mitigations & Prevention
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
Encrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to
Detection Methods
- Manual Analysis — This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically requi
- Black Box — Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new wea
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2019-9534 | Satellite phone does not validate its firmware image. |
| CVE-2021-22909 | Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firm |
| CVE-2008-3438 | OS does not verify authenticity of its own updates. |
| CVE-2008-3324 | online poker client does not verify authenticity of its own updates. |
| CVE-2001-1125 | anti-virus product does not verify automatic updates for itself. |
| CVE-2002-0671 | VOIP phone downloads applications from web sites without verifying integrity. |
Related Weaknesses
Taxonomy Mappings
- CLASP: — Invoking untrusted mobile code
- The CERT Oracle Secure Coding Standard for Java (2011): SEC06-J — Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
- Software Fault Patterns: SFP27 — Tainted input to environment
Frequently Asked Questions
What is CWE-494?
CWE-494 (Download of Code Without Integrity Check) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
How can CWE-494 be exploited?
Attackers can exploit CWE-494 (Download of Code Without Integrity Check) to execute unauthorized code or commands, alter execution logic, other. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-494?
Key mitigations include: Perform proper forward and reverse DNS lookups to detect DNS spoofing.
What is the severity of CWE-494?
CWE-494 is classified as a Base-level weakness (Medium abstraction). It has been observed in 6 real-world CVEs.