From 54f8d1db9194d377fff169c8107955990816a418 Mon Sep 17 00:00:00 2001 From: edanhub Date: Fri, 3 Jan 2025 09:33:30 +0100 Subject: [PATCH 1/3] pySCG: Adding documentation to CWE-489 as part of #531 Signed-off-by: edanhub --- .../CWE-710/CWE-489/README.md | 49 +++++++++++++++++++ docs/Secure-Coding-Guide-for-Python/readme.md | 1 + 2 files changed, 50 insertions(+) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md new file mode 100644 index 00000000..c484d253 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md @@ -0,0 +1,49 @@ +# CWE-489: Active Debug Code + +Keep design tooling in separate packages from the actual product and supply useful logging. + +Design tooling for functional tests, performance tests, or troubleshooting increases the attackable surface making a product more vulnerable [[MITRE 2023](https://cwe.mitre.org/data/definitions/489.html)]. A need to include them in a final product typically originates from missing the concept of staged testing with separate packaging of the product and required design tooling. Designers only using high privileged users for troubleshooting is often the root cause for badly designed logging that forces the operator to also use highly privileged or shared accounts in production. + +Anti-patterns: + +* Printing debug information directly to stdout or to the web-interface +* Ports left open such as 22 for ssh or 5678 for debugpy +* Verbose logging enabled in production sites. +* Monkey patching [[Monkey patch - Wikipedia 2023](https://en.wikipedia.org/wiki/Monkey_patch)]. +* Hidden functions enabling/disabling verbose logging via external interfaces. +* Hidden functions providing a shell for troubleshooting. +* Operators need of root or superuser access for troubleshooting +* Test tools and results available in the product +* Designing directly on a live instance. + +Not knowing that a product must be deployed differently in production than in staging can leave well known entry points wide open. [[Hammond 2022](https://www.youtube.com/watch?v=jwBRgaIRdgs)]. Well written test-driven design can avoid the need to have such excessive troubleshooting design tooling as seen in Flask. + +## Automated Detection + +|Tool|Version|Checker|Description| +|:---|:---|:---|:---| +|Bandit|1.7.4 on Python 3.10.4|Not Available|| +|Flake8|8-4.0.1 on Python 3.10.4|Not Available|| + +## Related Vulnerabilities + +|Component|CVE|Description|CVSS Rating|Comment| +|:---|:---|:---|:---|:---| +|ceph-isci-cli Red Hat Ceph Storage 2,3|[CVE-2018-14649](https://nvd.nist.gov/vuln/detail/CVE-2018-14649)|ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges.|CVSS 3.xx: 9.8|| +|OpenStack ironic-inspector, ironic-discoverd|[CVE-2015-5306](https://nvd.nist.gov/vuln/detail/CVE-2015-5306)|When debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.|CVSS 2.x: 6.8|| + +## Related Guidelines + +||| +|:---|:---| +|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-710: Improper Adherence to Coding Standards (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/710.html)| +|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-489: Active Debug Code (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/489.html)| +|[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ENV05-J. Do not deploy an application that can be remotely monitored](https://wiki.sei.cmu.edu/confluence/display/java/ENV05-J.+Do+not+deploy+an+application+that+can+be+remotely+monitored)| +|[Python - Secure Coding One Stop Shop](https://eteamspace.internal.ericsson.com/display/DEVEN/Python+-+Secure+Coding+One+Stop+Shop)|[FIO13-P3. Do not log sensitive information outside a trust boundary](https://eteamspace.internal.ericsson.com/display/DEVEN/FIO13-P3.+Do+not+log+sensitive+information+outside+a+trust+boundary)| + +## Bibliography + +||| +|:---|:---| +|[[Monkey patch - Wikipedia 2023](https://en.wikipedia.org/wiki/Monkey_patch)]|Wikimedia Foundation. (2024). Monkey patch [online]. Available from: [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch) [accessed 3 January 2025] +|[[Hammond 2022](https://en.wikipedia.org/wiki/Monkey_patch)]|John Hammond. (2024). DANGEROUS Python Flask Debug Mode Vulnerabilities [online]. Available from: [https://www.youtube.com/watch?v=jwBRgaIRdgs](hhttps://www.youtube.com/watch?v=jwBRgaIRdgs) [accessed 3 January 2025] diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 3af8a416..c4efc5fb 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -97,6 +97,7 @@ It is **not production code** and requires code-style or python best practices t |:----------------------------------------------------------------|:----| |[CWE-1095: Loop Condition Value Update within the Loop](CWE-710/CWE-1095/README.md)|| |[CWE-1109: Use of Same Variable for Multiple Purposes](CWE-710/CWE-1109/.)|| +|[CWE-489: Active Debug Code](CWE-710/CWE-489/README.md)|[CVE-2018-14649](https://www.cvedetails.com/cve/CVE-2018-14649),
CVSSv3.1: **9.8**,
EPSS: **69.64** (12.12.2023)| ## Biblography From 47a60267f84050a237963828eff7e156dcaad4aa Mon Sep 17 00:00:00 2001 From: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:04:40 +0100 Subject: [PATCH 2/3] Update docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md Co-authored-by: myteron Signed-off-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md index c484d253..fa24e5e0 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md @@ -39,7 +39,7 @@ Not knowing that a product must be deployed differently in production than in st |[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-710: Improper Adherence to Coding Standards (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/710.html)| |[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-489: Active Debug Code (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/489.html)| |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ENV05-J. Do not deploy an application that can be remotely monitored](https://wiki.sei.cmu.edu/confluence/display/java/ENV05-J.+Do+not+deploy+an+application+that+can+be+remotely+monitored)| -|[Python - Secure Coding One Stop Shop](https://eteamspace.internal.ericsson.com/display/DEVEN/Python+-+Secure+Coding+One+Stop+Shop)|[FIO13-P3. Do not log sensitive information outside a trust boundary](https://eteamspace.internal.ericsson.com/display/DEVEN/FIO13-P3.+Do+not+log+sensitive+information+outside+a+trust+boundary)| +|[Python - Secure Coding One Stop Shop](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/)|[CWE-532: Insertion of Sensitive Information into Log File](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-532/README.md)| ## Bibliography From 0b6f55ebbcdf8f877a3ab65e4cf4c4325c40c71a Mon Sep 17 00:00:00 2001 From: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:04:48 +0100 Subject: [PATCH 3/3] Update docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md Co-authored-by: myteron Signed-off-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> --- docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md index fa24e5e0..49542123 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-710/CWE-489/README.md @@ -46,4 +46,4 @@ Not knowing that a product must be deployed differently in production than in st ||| |:---|:---| |[[Monkey patch - Wikipedia 2023](https://en.wikipedia.org/wiki/Monkey_patch)]|Wikimedia Foundation. (2024). Monkey patch [online]. Available from: [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch) [accessed 3 January 2025] -|[[Hammond 2022](https://en.wikipedia.org/wiki/Monkey_patch)]|John Hammond. (2024). DANGEROUS Python Flask Debug Mode Vulnerabilities [online]. Available from: [https://www.youtube.com/watch?v=jwBRgaIRdgs](hhttps://www.youtube.com/watch?v=jwBRgaIRdgs) [accessed 3 January 2025] +|[[Hammond 2022](https://www.youtube.com/watch?v=jwBRgaIRdgs)]|DANGEROUS Python Flask Debug Mode Vulnerabilities [online]. Available from: [https://www.youtube.com/watch?v=jwBRgaIRdgs](https://www.youtube.com/watch?v=jwBRgaIRdgs) [accessed 3 January 2025]