Control of Interaction Frequency Bugs (CIF) Examples

CVE-2002-0628

BF Taxonomy

Cause: Failure to Limit

Attributes:
Interaction: Authentication Attempt
Number: Specificed Number
Unit: Authentication Event
Actor: User(s)

Consequence: Credentials compromise (username or password)

BF Description:

"Failure to limit to a specified number the authentication attempts per authentication event by same or different user(s) may be exploited for credentials compromise (username or password) via brute force." [2]

CVE Description

"The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack." [1]

Analysis

[1,3] include sufficient information for describing this CVE using BF.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2002-1876

BF Taxonomy

Cause: Failure to recognize repeated interactions leads to failure to properly limit

Attributes:
Interaction: Authentication Attempt
Number: Specificed Number
Unit: Specfied Time interval
Actor: Authenticated Users

Consequence: Resource exhaustion (consumption of all granted licenses) leading to DoS

BF Description:

"Failure to recognize repeated interactions that are rapid initiations of message exchange requests from authenticated users, leads to failure to properly limit them to a specified number per specified time interval, which may be exploited for resource exhaustion (consumption of all granted licenses) leading to DoS." [2]

CVE Description

"Microsoft Exchange 2000 allows remote authenticated attackers to cause a denial of service via a large number of rapid requests, which consumes all of the licenses that are granted to Exchange by IIS." [4]

Analysis

[4] includes sufficient information for describing this CVE using BF.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2002-1018

BF Taxonomy

Cause: Failure to limit

Attributes:
Interaction: Checkout
Number: Single
Unit: User
Actor: User

Consequence: Resource exhaustion (consumption of all granted licenses) leading to DoS

BF Description

"Failure to limit the checkouts of a book to a single one per user may be exploited for resource exhaustion leading to DoS." [2]

CVE Description

"The library feature for Adobe Content Server 3.0 does not verify if a customer has already checked out an eBook, which allows remote attackers to cause a denial of service (resource exhaustion) by checking out the same book multiple times." [5]

Analysis

[5] includes sufficient information for describing this CVE using BF.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

References

[1] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-0628.

[2] Irena Bojanova, Paul E. Black, Yaacov Yesha, and Yan Wu, The Bugs Framework (BF): A Structured Approach to Express Bugs, QRS 2016, Vienna, Austria.

[3] The MITRE Corporation, CWE Common Weakness Enumeration, CWE-307: Improper Restriction of Excessive Authentication Attempts.

[4] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-1876.

[5] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-1018.