Control of Interaction Frequency Bugs (CIF) Examples
CVE-2002-0628
BF Taxonomy
Attributes:
Interaction: Authentication Attempt
Number: Specificed Number
Unit: Authentication Event
Consequence:
Credentials compromise (username or password)
BF Description:
"Failure to limit to a specified number the
authentication attempts per authentication event by same or different
user(s) may be exploited for credentials compromise (username or password)
via brute force." [2]
CVE Description
"The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login
attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack."
[1]
Analysis
[1,3] include sufficient information for describing this CVE using BF.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
CVE-2002-1876
BF Taxonomy
Cause:
Failure to recognize repeated interactions leads to failure to properly limit
Attributes:
Interaction: Authentication Attempt
Number: Specificed Number
Unit: Specfied Time interval
Actor: Authenticated Users
Consequence:
Resource exhaustion (consumption of all granted licenses) leading to DoS
BF Description:
"Failure to recognize repeated interactions that are rapid initiations of
message exchange requests from authenticated users, leads to
failure to properly limit them to a specified number per
specified time interval, which may be exploited for resource exhaustion (consumption
of all granted licenses) leading to DoS." [2]
CVE Description
"Microsoft Exchange 2000 allows remote authenticated attackers to cause a denial of service via a large number
of rapid requests, which consumes all of the licenses that are granted to Exchange by IIS." [4]
Analysis
[4] includes sufficient information for describing this CVE using BF.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
CVE-2002-1018
BF Taxonomy
Consequence:
Resource exhaustion (consumption of all granted licenses) leading to DoS
BF Description
"Failure to limit the checkouts of a book to a single
one per user may be exploited for resource exhaustion
leading to DoS." [2]
CVE Description
"The library feature for Adobe Content Server 3.0 does not verify if a customer has already checked out an
eBook, which allows remote attackers to cause a denial of service (resource exhaustion) by checking out the same
book multiple times." [5]
Analysis
[5] includes sufficient information for describing this CVE using BF.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
References
[1] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-0628.
[2] Irena Bojanova, Paul E. Black, Yaacov Yesha, and Yan Wu, The Bugs Framework (BF): A Structured Approach
to Express Bugs, QRS 2016, Vienna, Austria.
[4] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-1876.
[5] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2002-1018.