1. Home
  2. CWE Database
  3. CWE-778
Base · Medium

CWE-778: Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

CWE-778 · Base Level ·5 CVEs ·4 Mitigations

Description

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled.

Potential Impact

Non-Repudiation

Hide Activities

Demonstrative Examples

The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).
Bad
<system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="None"messageAuthenticationAuditLevel="None" />...
                        
                     </system.serviceModel>
The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.
Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779).
Good
<system.serviceModel><behaviors><serviceBehaviors><behavior name="NewBehavior"><serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="SuccessAndFailure"messageAuthenticationAuditLevel="SuccessAndFailure" />
                              ...
                        
                     </system.serviceModel>
In the following Java example the code attempts to authenticate the user. If the login fails a retry is made. Proper restrictions on the number of login attempts are of course part of the retry functionality. Unfortunately, the failed login is not recorded and there would be no record of an adversary attempting to brute force the program.
Bad
if LoginUser(){
                     // Login successful
		     RunProgram();
                  } else {
                     // Login unsuccessful
		     LoginRetry();
                  }
It is recommended to log the failed login action. Note that unneutralized usernames should not be part of the log message, and passwords should never be part of the log message.
Good
if LoginUser(){
                     // Login successful
		     log.warn("Login by user successful.");
		     RunProgram();
                     } else {
                     
		       // Login unsuccessful
		       log.warn("Login attempt by user failed, trying again.");
		     LoginRetry();
                  }
Consider this command for updating Azure's Storage Logging for Blob service, adapted from [REF-1307]:
Bad
az storage logging update --account-name --account-key --services b --log d --retention 90
The "--log d" portion of the command says to log deletes. However, the argument does not include the logging of writes and reads. Adding the "rw" arguments to the -log parameter will fix the issue:
Good
az storage logging update --account-name --account-key --services b --log rwd --retention 90
To enable Azure's storage analytic logs programmatically using PowerShell:
Good
Set-AzStorageServiceLoggingProperty -ServiceType Queue -LoggingOperations read,write,delete -RetentionDays 5 -Context $MyContextObject
Notice that here, the retention has been limited to 5 days.

Mitigations & Prevention

Architecture and Design

Use a centralized logging mechanism that supports multiple levels of detail.

Implementation

Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.

Operation

Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment.

Operation

To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2008-4315server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
CVE-2008-1203admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
CVE-2007-3730default configuration for POP server does not log source IP or username for login attempts
CVE-2007-1225proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection
CVE-2003-1566web server does not log requests for a non-standard request type

CWE-223: Omission of Security-relevant Information

The product does not record or display information that would be important for identifying the source or nature of an at...

Frequently Asked Questions

What is CWE-778?

CWE-778 (Insufficient Logging) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

How can CWE-778 be exploited?

Attackers can exploit CWE-778 (Insufficient Logging) to hide activities. This weakness is typically introduced during the Operation phase of software development.

How do I prevent CWE-778?

Key mitigations include: Use a centralized logging mechanism that supports multiple levels of detail.

What is the severity of CWE-778?

CWE-778 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.