U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage

Published: June 24, 2013

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

Failing to initialize storage can introduce vulnerability.

Description

When allocated, storage may not have been initialized, meaning that whatever was left in storage from its previous use is still there. If that storage might contain leftover secrets, like passwords, then accidentally disclosing that data amounts to a security leak—of information from the previous user.

When your system, in turn, deallocates storage that contains secrets, it may be leaking those secrets to the next user of the storage.

References

CitationBibliographic Entry
[Thompson 05]

Thompson, Herbert & Chase, Scott. The Software Vulnerability Guide. Charles River Media, 211-222. 2005.

[VU#412115]

Lanza, Jeffrey P. Network device drivers reuse old frame buffer data to pad packets. 2003. http://www.kb.cert.org/vuls/id/412115.

 


Back to Top