WP6 DIGIT B1 - EP Pilt Prject 645 Deliverable 2: Summary f the Evaluatin f Results KeePass Passwrd Safe Specific cntract n 226 under Framewrk Cntract n DI/07172 ABCIII Octber 2016
Authr: Disclaimer The infrmatin and views set ut in this publicatin are thse f the authr(s) and d nt necessarily reflect the fficial pinin f the Cmmissin. The cntent, cnclusins and recmmendatins set ut in this publicatin are elabrated in the specific cntext f the EU FOSSA prject. The Cmmissin des nt guarantee the accuracy f the data included in this study. All representatins, warranties, undertakings and guarantees relating t the reprt are excluded, particularly cncerning but nt limited t the qualities f the assessed prjects and prducts. Neither the Cmmissin nr any persn acting n the Cmmissin s behalf may be held respnsible fr the use that may be made f the infrmatin cntained herein. Eurpean Unin, 2016. Reuse is authrised, withut prejudice t the rights f the Cmmissin and f the authr(s), prvided that the surce f the publicatin is acknwledged. The reuse plicy f the Eurpean Cmmissin is implemented by a Decisin f 12 December 2011. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 2 f
Reprt Summary Title Prject Owner DIGIT Spnsr KeePass Passwrd Safe KeePass Cmmunity EU-FOSSA prject Authr Type DIGIT Public Versin V 0.5 Versin date 10/10/2016 Reviewed by EU-FOSSA Team Revisin date 08/11/2016 Apprved by Eurpean Cmmissin - Directrate- General fr Infrmatics (DIGIT) Apprval date T be apprved Nº Pages Distributin list Name and surname Area Cpies IT cntacts T be identified T be identified Cmmunities KeePass security Team 1 Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 3 f
Cntents CONTENTS... 4 LIST OF TABLES... 5 LIST OF FIGURES... 6 ACRONYMS AND ABBREVIATIONS... 7 1 INTRODUCTION... 8 1.1. CONTEXT... 8 1.2. OBJECTIVE... 8 1.3. SCOPE... 9 1.4. DELIVERABLES... 10 2 EXECUTIVE SUMMARY... 11 3 CODE REVIEW ENVIRONMENT... 13 4 SECURITY ASSESMENT... 14 4.1. MEDIUM RISK FINDINGS... 15 4.2. LOW RISK FINDINGS... 19 4.3. INFORMATIONAL RISK FINDINGS... 21 5 RECOMMENDATIONS... 25 5.1. DETAILS... 25 5.2. PRIORITISATION... Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 4 f
List f Tables Table 1: Security Assessment f CBC-VMG-008... 15 Table 2: Security Assessment f CBC-MEM-005... 15 Table 3: Security Assessment f CBC-ENV-004... 16 Table 4: Security Assessment f CBC-MSC-001... 17 Table 5: Security Assessment f CPP-MSC-001... 18 Table 6: Security Assessment f SCD-FWK-001... 19 Table 7: Security Assessment f SCD-VTY-002... 19 Table 8: Security Assessment f CBC-VMG-023... 20 Table 9: Security Assessment f EHI-EHD-002... 21 Table 10: Security Assessment f CPP-VMG-007... 22 Table 11: Security Assessment f CPP-OOP-007... 23 Table 12: Security Assessment f LOG-CFG-004... 23 Table 13: Security Assessment f CPP-VMG-008... 24 Table 14: Security Assessment f CPP-OOP-001... 24 Table 15: Cntrls with Findings and Recmmendatins/Specific Slutins... 25 Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 5 f
List f Figures Figure 1: Risk Level... 11 Figure 2: Pririty levels... Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 6 f
Acrnyms and Abbreviatins AES CWE EU-FOSSA FOSS IDE WP Advanced Encryptin Standard Cmmn Weakness Enumeratin Free and pen Surce Sftware Auditing prject Free and Open Surce Sftware Integrated Develpment Envirnment Wrk Package Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 7 f
1 INTRODUCTION 1.1. Cntext The security f the applicatins used nwadays has becme a majr cncern fr rganisatins, cmpanies and citizens in general, as they are becming a mre cmmn part f ur daily lives, and are being used fr business and leisure purpses alike. This infrmatin has becme the mst essential asset t prtect, as it includes persnal infrmatin, internal data, industrial prperty, etc. Frm a security pint f view, this new scenari presents many new challenges that need t be addressed in rder t prtect the integrity and cnfidentiality f the data managed by the applicatins and their users. Furthermre, their expsure t the Internet has made them a prime target, due t the value that this private and internal infrmatin has. One f the advantages f Free and Open-Surce Sftware (FOSS) is that its surce cde is readily available fr review by anyne, and therefre it virtually enables any user t check and prvide new features and fixes, including security nes. Als, frm a mre prfessinal pint f view, it allws rganisatins t review the cde cmpletely and find the vulnerabilities r weaknesses that it presents, allwing fr a refinement f their security and in turn a safer experience fr all the users f the applicatins. 1.2. Objective The bjective f this dcument is t prvide, in a summarised frmat, the results f the cde review ran n the KeePass Passwrd Safe sftware. This ges with a set f recmmendatins fcused n increasing the verall security level f the applicatin. This review is carried ut within the EU- FOSSA prject, fcusing n the security aspects f the sftware. The bjective f this cde review is t examine the KeePass Passwrd Safe sftware, fcusing mainly n its security aspects, the risk that they pse t its users and the integrity and cnfidentiality f the data cntained within. KeePass is a free and pen surce sftware tl, which helps t manage passwrds in a secure way. All passwrds can be stred in ne database, which is lcked with ne master key r a key file. Thus it is nly necessary t remember ne master passwrd r select the key file t unlck the whle database. The databases are encrypted using the Advanced Encryptin Standard (AES) and Twfish encryptin algrithms. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 8 f
1.3. Scpe The scpe f the prject is as fllws: Applicatin name KeePass Passwrd Safe Review start 24/08/2016 Cde review wner Eurpean Cmmissin - Directrate-General fr Infrmatics (DIGIT) Review end 23/09/2016 Objective Security Cde Review Num. Lines 84 622 Versin 1.31 Prgramming language C++ Verificatin level 1-Oprtunistic 2-Standard 3-Advanced Libraries MFC v 9.0 (ut f the cde review scpe, as it is a Micrsft prprietary cde.) Extensins/plugins Services required N/A N/A Result visibility Internal Restricted Public Critical ntificatin During assessment / final reprt nly Dminik Reichl dminik.reichl@t-nline.de Categries Data/Input Management Authenticatin Cntrls Sessin Management Authrisatin Management Cryptgraphy Errr Handling / Infrmatin Leakage Sftware Cmmunicatins Specific C cntrls Lgging/Auditing Secure Cde Design Optimised Mde Cntrls Specific C++ cntrls Specific JAVA cntrls Specific PHP cntrls X X The cde review f the KeePass Passwrd Safe includes: Cmments 1. KeePass v 1.31 Since versin 1.21, KeePass has been develped and cmpiled using Visual Studi 2008 (with MFC 9.0) Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 9 f
1.4. Deliverables 1 WP6 - Deliverable 1: Cde Review Results Reprt KeePass Passwrd Safe Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 10 f
2 EXECUTIVE SUMMARY This dcument is a high level reprt f the cde review perfrmed fr the sftware KeePass Passwrd Safe (versin 1.31), where the assessment f the findings is explained, as well as the recmmendatins t imprve the security f the cde. Fr technical details please see the cmplete KeePass Cde Review Results Reprt 1 This cde review has been carried ut fllwing a manual review prcess aided by tw pen-surce review tls: 1. CdeLite: a Free Open-Surce Integrated Develpment Envirnment (IDE) fr C, it is ne f the mst used IDE fr C and C++, quite easy t install and use. 2. FlawFinder: a Free Open-Surce cde review tl develped by David A. Wheeler, an expert in Free and Open Surce Sftware and secure sftware develpment. This tl specialises in finding security flaws in C and C++. The assessment f the findings pinted ut by the cde review has been perfrmed frm the attackers pint f view, where: The threat is related t the attacker; The vulnerability is related t the ptential issue that may be caused and; The impact is related t the cnsequences f the attack being successful. Frm a security pint f view, KeePass Passwrd Safe can be cnsidered mature. This fact is crrbrated by checking the results: Figure 1: Risk Level 8 6 4 2 0 5 6 3 0 0 Critical High Inf All f the findings can be slved easily withut perfrming cmplex develpments, and the risk f them being explited is either lw r nt pssible withut mdifying the surce cde itself. 1 See the EU-FOSSA Cmmunity n Jinup: link Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 11 f
Furthermre, these vulnerabilities are hard t explit. This makes it difficult t take advantage f the vulnerabilities in nrmal envirnments. Hwever, in custm implementatins this needs t be duble-checked, as versights r changes may make these vulnerabilities directly explitable by attackers. It is imprtant t ntice that this cde review des nt guarantee that all f the vulnerabilities are detected. Sme security issues can remain undetected, therefre it is advisable t carry ut ther security tests t cmplement this cde review. As far as the he priritisatin is cncerned, it is prpsed accrding t their criticality: medium risk findings shuld be reslved in the shrt-term, lw risk findings in the mid-term, and the infrmative nes in the lng-term. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 12 f
3 CODE REVIEW ENVIRONMENT In rder t carry ut the cde review and analysis, there was a need t develp a specific cde review envirnment with the necessary tls (including bth autmated and manual tls). Fr the manual cde review, an IDE (Integrated Develpment Envirnment) was used: CdeLite: a FOSS applicatin that is light, user-friendly and has a high maturity level (versin: 9). It is a crss-platfrm (supprting Windws, the majr Linux distributins and Mac OS). It supprts the fllwing languages: C C++ JavaScript PHP One f the main reasns why it was chsen: its excellent supprt f C and C++ cde. Surce: http://www.cdelite.rg/ Alngside this IDE, an autmated tl was als used t help cmplement the findings and ptential results: FlawFinder: a FOSS autmatic secure cde review tl mainly fcused n C and C++ cde. It supprts Linux and Unix-based perating systems mainly, althugh it can als be run n Windws when cmpiled using Cygwin. It is cmpatible with Cmmn Weakness Enumeratin (CWE), prviding useful feedback n any finding. As a side nte, this tl was develped by David A. Wheeler, an authrity in the fields f secure sftware develpment and pen-surce sftware. Surce: http://www.dwheeler.cm/flawfinder/ Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 13 f
4 SECURITY ASSESMENT There were a ttal f 10 batches with findings in 14 cntrls. These cntrls are gruped based n their verall risk level: Risk CBC-VMG-008 CBC-MEM-005 CBC-MSC-001 CPP-MSC-001 CBC-ENV-004 Risk SCD-FWK-001 SCD-VTY-002 CBC-VMG-023 Infrmatinal Risk LOG-CFG-004 CPP-VMG-008 CPP-OOP-001 EHI-EHD-002 CPP-VMG-007 CPP-OOP-007 After a detailed review and fllwing infrmatin exchange with KeePass pint f cntact, it was determined that sme f these findings are cntrlled within the cde, s the risk is mitigated and they d nt represent a security vulnerability. Hwever, they are still mentined here t cnsider in future develpments. The findings are: CBC-MSC-001 CBC-ENV-004 CPP-MSC-001 EHI-EHD-002 CPP-VMG-007 CPP-OOP-007 Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 14 f
4.1. Risk Findings Table 1: Security Assessment f CBC-VMG-008 CBC-VMG-008 Ensure that flating-pint cnversins are within the range f the new type Finding In flating-pint value cnversins, if the destinatin type is smaller than the rigin, it must be verified that the value can fit in the new type. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\newgui\bcmenu.cpp 2686, 2749 Assessment There are n errr management cntrls f the return methd GetUpperBund().Any errrs in the type cnversin must be cntrlled and managed. Thus the pssible errr r exceptins that this functin can trigger must be cntrlled. Threat (): t explit this functinality, it is necessary t have access t the cde. Vulnerability (): it is hard t find this vulnerability and t explit it as well. It is als nt publicly knwn. Impact (): it can nly affect lcal cmputers. The result f its ccurrence is a lss f data integrity and precisin. Related vulnerability cde: N/A. Table 2: Security Assessment f CBC-MEM-005 CBC-MEM-005 Allcate sufficient memry fr an bject Finding It is necessary t guarantee that strage fr strings has sufficient space available fr character data and cnsequently t allcate sufficient memry fr an bject. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\pwsafe.cpp 496 Assessment The _tcslen functin is nt capable f handling strings that are nt \0-terminated. If such a string is passed withut \0-terminatin, the functin will execute an ver-read and ptentially cause the applicatin t crash if n further cntrls are in-place. Threat (): t explit this functinality, it is necessary t have access t the cde. On the ther hand, this finding can be detected using autmatic tls. Vulnerability (): these functins d nt have any cntrl r filtering functinality t check the parameter received. S it can receive a nn \0- terminated string. Impact (): it can nly affect lcal cmputers. Related vulnerability cde: CWE-126. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 15 f
Table 3: Security Assessment f CBC-ENV-004 CBC-ENV-004 D nt call system() functin Finding The use f system() functins can result in explitable vulnerabilities, allwing the executin f arbitrary system cmmands. Threat Vulnerability Impact File/s: Line/s: Detectins %rt%\wingui\updateinfdlg.cpp 144 %rt%\winngui\pwsafedlg.cpp 627, 635, 6418, 8710 %rt%\wingui\newgui\xhyperlink.cpp 596 Assessment shellexecute: This causes a new prgram t execute and it is difficult t use safely. If the path it is nt prvided, the use f system() functins t execute a cmmand culd ptentially execute the wrng applicatin with the same filename. It is recmmended t use an alternative functin that cntrls this eventuality. Threat (): t explit this functinality, it is necessary t have access t the cde. On the ther hand, this finding can be detected using autmatic tls. Vulnerability (): these functins d nt have any cntrl r filtering functinality, thus being able f ptentially executing any cmmand passed thrugh them. Impact (): it can nly affect lcal cmputers, therefre remte prgrams cannt be accessed unless previusly dwnladed. Related vulnerability cde: CWE-78. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut it. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 16 f
Table 4: Security Assessment f CBC-MSC-001 CBC-MSC-001 D nt use the rand() functin t generate pseudrandm numbers Finding The rand() functin shuld nt be used t generate randm numbers, as they are predictable due t the shrt cycle f numbers that it uses. Threat Vulnerability Impact File/s: Line/s: Detectins %rt%\keepasslibcpp\sysspec_windws\newrandm.cpp 74,76,78 %rt%\wingui\util\winutil.cpp 954 rand(): the rand() functin is n lnger safe, as it des nt prvide enugh entrpy t be cnsidered apt fr security applicatins. The use f an alternative functin is recmmended, such as randm(). Assessment Threat (): t explit this functinality, it is necessary t have access t the cde. Furthermre the attacker shuld have advanced cding and netwrks skills. On the ther hand, this finding can be detected using autmatic tls. Vulnerability (): the weak entrpy f the rand() functin leads t predictable randm numbers Impact (): it is easier t guess the randm number when using this functin instead f ther similar. Related vulnerability cde: CWE-327. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut this functin. The usage f rand() must be ceased in future develpments. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 17 f
Table 5: Security Assessment f CPP-MSC-001 CPP-MSC-001 D nt use std::rand() t generate pseudrandm numbers Finding Using the std::rand() functin culd lead t predictable randm numbers. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\winngui\pwsafedlg.cpp 654 Assessment This functin is nt sufficiently randm fr security-related functins such as key and nnce creatin. Threat (): t explit this functinality, it is necessary t have access t the cde. Furthermre the attacker shuld have advanced cding and netwrks skills. On the ther hand, this finding can be detected using autmatic tls. Vulnerability (): the weak entrpy f the std::rand() functin leads t predictable randm numbers Impact (): it is easier t guess the randm number when using this functin instead f anther similar ne. Related vulnerability cde: CWE-76. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut it. Hwever is still mentined t create awareness abut this functin and still mentined in here. The usage f std::rand() must be ceased in future develpments. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 18 f
4.2. Risk Findings Table 6: Security Assessment f SCD-FWK-001 SCD-FWK-001 All framewrks and third party cmpnents are up-t-date Finding RegCreateKey: this functin is prvided nly fr cmpatibility with 16-bit versins f Windws. Applicatins shuld use the RegCreateKeyEx functin. Threat Vulnerability Impact High Detectins File/s: Line/s: %rt%\wingui\pwsafe.cpp 328 Assessment The use f bslete functins is discuraged unless strictly necessary due t legacy cncerns. These functins are knwn and easily discverable using autmated tls. Threat (): it is publicly knwn and detectable, but it can nly be indirectly explited. Vulnerability (High): deprecated functins usually have well-knwn flaws that can be explited. Impact (): it nly affects a limited part f the applicatin. Related vulnerability cde: CWE-676. Table 7: Security Assessment f SCD-VTY-002 SCD-VTY-002 On divisin peratins, check that the divisr des nt equal zer Finding The size f the lpstrtext variable is nt cntrlled against invalid r zer values. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\newgui\bcmenu.cpp 1011 Assessment In divisin peratins, the values must be checked t ensure that n invalid values are perated and that n value is divided by zer. Threat (): the attacker needs access t the cde and specific skills t explit this vulnerability. Vulnerability (): it is hard t find and t explit this vulnerability, but it is a wrng cding practice. Impact (): it nly affects in the cases that the lpstrtext functin returns a 0 value. Related vulnerability cde: N/A. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 19 f
Table 8: Security Assessment f CBC-VMG-023 CBC-VMG-023 D nt read uninitialised memry Finding The sztitle variable is nt initialised befre accessing its cntent. The m_value variable is nt initialised befre accessing its cntent. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\util\sendkeys.cpp 585 Assessment Lcal, autmatic variables assume unexpected values if they are read befre they are initialised. Threat (): the attacker needs t have access t specific resurces and must have advanced cmputer skills t explit this flaw. Vulnerability (): it is hard t discver and t explit. Impact (): can lead t unexpected behaviur when accessing the unexpected values f a nn-initialised variables. Related vulnerability cde: N/A. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 20 f
4.3. Infrmatinal Risk Findings Table 9: Security Assessment f EHI-EHD-002 EHI-EHD-002 Try-catch-finally blck Inf Finding The finally statement shuld always be present, and used t release system resurces and perfrm ther clean actins. If any f these additinal actins within the finally blck can thrw exceptins, these need t be captured within a new try-catch-finally blck. Threat Vulnerability Impact Detectins File/s: %rt%\wingui\util\sessinntify. 65 Line/s: Assessment Thse prgramming languages that have the try-catch-finally structure have t be used crrectly. The finally statement shuld always be present, and used t release system resurces and perfrm ther clean actins. Threat (): users cannt directly take advantage f this vulnerability. Vulnerability (): risk f memry exhaustin r f leaving a cmpnent in an undefined state. Impact (): can cause an applicatin t freeze r even crash. Related vulnerability cde: N/A. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut it. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 21 f
Table 10: Security Assessment f CPP-VMG-007 CPP-VMG-007 Guarantee that cntainer indexes/iteratrs are within a valid range Inf Finding The ps variable, used t access array psitins, is manually incremented, and n range cntrls are inplace t ensure that the value remains valid and within bunds. A misuse f this variable can lead t an imprper behaviur, even a prgram crash. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\keepasslibcpp\details\pwfileimpl.cpp 4, 9, 305 Assessment Ensuring that array references are within the bunds f the array is almst entirely the respnsibility f the prgrammer when using standard template library vectrs. Threat (): the index used t g thrugh the array is nt cmmnly btained frm direct user input. Vulnerability (): the lack f length cntrl can be explited t cause a lack f memry r even a crash f the applicatin. Impact (): it wuld nly affect a sectin f the cde and it wuld be cmplex fr it t cause severe damages. Related vulnerability cde: N/A. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut it. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 22 f
Table 11: Security Assessment f CPP-OOP-007 CPP-OOP-007 Prefer special member functins and verladed peratrs t C Standard Library functins Inf Finding The memset( ) functin shuld nt be used t initialise bjects, as it may nt prperly initialise the value representatin f the bject. Imprper initialisatin leads t class invariants that d nt apply in later uses f the bject. Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\newgui\btnst.cpp 503 %rt%\wingui\newgui\cbmenu.h 71 Assessment Several C standard library functins perfrm byte wise peratins n bjects. Threat (): the attacker needs special access r specific resurces and must have advanced cding skills t explit this flaw. Vulnerability (): it is hard t find and t explit this vulnerability. Impact (): the imprper initialisatin leads t class invariants that d nt apply in later uses f the bject. It can lead t an applicatin malfunctin. Related vulnerability cde: N/A. This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut it. Table 12: Security Assessment f LOG-CFG-004 LOG-CFG-004 Lgging exceptins Inf Finding There is n lgging functinality implemented in the catch( ) blck; therefre any exceptin captured is nt lgged, nr is any trace left f this event recrded Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\keepasslibcpp\details\pwfindimpl.cpp Frm 51 t 60 Assessment Exceptins must be lgged in a prper manner in case they are nt t be thrwn. Threat (): users cannt directly take advantage f this vulnerability. Vulnerability (): it is hard t discver and its explitatin is theretical Impact (): its explitatin des nt directly damage the system. Related vulnerability cde: N/A. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 23 f
Table 13: Security Assessment f CPP-VMG-008 CPP-VMG-008 Guarantee that library functins d nt frm invalid iteratrs Inf Finding Memry peratins: Memry peratins dne using memcpy, are used several times withut checking the size f the surce and destinatin. The functin des nt verify if the destinatin cntainer is able t hld the element t be cpied via memcpy( ). Threat Vulnerability Impact Detectins File/s: Line/s: %rt%\wingui\addentrydlg.cpp 1071 Assessment Cpying data int a cntainer that is nt large enugh t hld the riginal data will result in a buffer verflw. Threat (): the cde wuld need t be mdified directly in rder t explit this vulnerability, althugh it is discverable with autmated tls Vulnerability (): this vulnerability entails the knwn risk f lsing the integrity f the memry lcatins being managed within the functin (r thse accessed by it). Impact (): it is cmplex t explit this vulnerability, but the lack f a size cntrl fr arrays in the cde can result in an verflw. Related vulnerability cde: N/A. Table 14: Security Assessment f CPP-OOP-001 CPP-OOP-001 D nt invke virtual functins frm cnstructrs r destructrs Inf Finding CShutdwnBlcker is declared as a virtual functin in the header file. Threat Vulnerability Impact Detectins File/s: %rt%\wingui\util\shutdwnblcker.cpp 60 Line/s: Assessment A virtual functin is invked frm a cnstructr within an inherited class. Attempting t call a derived-class functin frm a base class under cnstructin is dangerus: th e derived class has nt had the pprtunity t initialise its resurces, which is why calling a virtual functin frm a cnstructr des nt result in a call t a functin in a mre derived class. Threat (): it needs special access and skills t get t the vulnerability Vulnerability (): it is hidden and hard t explit. Impact (): it can lead t an unexpected behaviur. Related vulnerability cde: N/A. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 24 f
5 RECOMMENDATIONS 5.1. Details The cde review has evaluated the security level f the applicatin analysed and identified vulnerabilities and weaknesses that can put it at risk. In this sectin, fr each finding a crrespnding recmmendatins is given t help increase the verall security level f the applicatin. Table 15 shws the recmmendatins that shuld be implemented fr each f the findings described and assessed in Sectin 4. Table 15: Cntrls with Findings and Recmmendatins/Specific Slutins Cntrls with Findings Recmmendatin/Specific Slutin CBC-VMG-008 R01_CBC-VMG-008 Recmmendatin: There must be a cntrl within the cde t check the return methd GetUpperBund in rder t manage pssible errrs r exceptins. CBC-MEM-005 R02_CBC-MEM-005 The _tcslen functin is nt capable f handling strings that are nt \0-terminated. The cde must have cntrls t ensure that the string is passed with \0-terminatin, r add \0 at the end f the string if necessary.. CBC-ENV-004 R03_CBC-ENV-004 This issue is cntrlled prgrammatically within the KeePass cde. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Where mre cntrl is required n what will be executed use ShellExecuteEx instead f ShellExecute. ShellExecuteEx prvides additinal functinality. If yu dn't require any f the functinality prvided by ShellExecuteEx; keep it simple and stick with ShellExecute. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 25 f
Cntrls with Findings Recmmendatin/Specific Slutin CBC-MSC-001 R04_CBC-MSC-001 This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect the security f the cde because is nt related t the main functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut this functin and as an infrmatinal issue. The usage f rand() must be ceased in future develpments. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Recmmendatin: The rand() functin des nt prvide enugh entrpy. The usage f ther functins such as randm() is recmmended. CPP-MSC-001 R05_CPP-MSC-001 This issue is cntrlled prgrammatically within the KeePass cde. The issue in this case des nt affect at all the security f the cde because is nt related t the crucial functinality f the sftware (encryptin). Hwever is still mentined t create awareness abut this functin and as an infrmatinal issue. The usage f std::rand() must be ceased in future develpments. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Recmmendatin: The std::rand() functin is nt sufficiently randm fr security-related functins. Instead it is recmmended t implement a cde such as: std::default_randm_engine engine; engine.seed(n); std::unifrm_int_distributin<> distributin; aut rand = [&](){ return distributin(engine); } Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 26 f
Cntrls with Findings Recmmendatin/Specific Slutin EHI-EHD-002 R06_EHI-EHD-002 This issue is cntrlled prgrammatically within the KeePass cde. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Recmmendatin: The finally statement shuld always be present, and used t release system resurces and t perfrm ther clean actins. If any f these additinal actins can thrw exceptins, these need t be captured within a new try-catch-finally blck. SCD-FWK-001 R07_SCD-FWK-001 Specific Slutin: The usage f deprecated functins is discuraged. RegCreateKey: this functin is prvided nly fr cmpatibility with 16-bit versins f Windws. Applicatins shuld use the RegCreateKeyEx functin. SCD-VTY-002 R08_SCD-VTY-002 Recmmendatin: Check the lpstrtext variable t ensure that n invalid r zer values are received. CBC-VMG-023 R09_CBC-VMG-023 Recmmendatin: Always initialise variables prir t accessing their cntent. In ther case it will lead t an unexpected behaviur. CPP-VMG-007 R10_CPP-VMG-007 This issue is cntrlled prgrammatically within the KeePass cde. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Recmmendatin: Set cntrls in place t ensure that the values used in indexes r iteratrs remain within the valid range. There must be cntrls in place t ensure that the values used in indexes r iteratrs are within the valid range. Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 27 f
Cntrls with Findings Recmmendatin/Specific Slutin CPP-OOP-007 R11_CPP-OOP-007 This issue is cntrlled prgrammatically within the KeePass cde. Befre deciding t change it, ne must take int accunt the risk f adding mre cmplexity t the cde, and ensure that the mitigatin f the risk that is prvided via the cde is maintained. Recmmendatins: The behaviur f std::memset() can be avided with ther ptins: std::memset may be ptimised if the bject mdified is nt accessed again fr the rest f its lifetime. Defining an assignment peratr that is used instead. Replacing the call t this functin with a default-initialised cpy-and-swap peratin called clear(). Defining an equality peratr that is used instead. LOG-CFG-004 R12_LOG-CFG-004 Recmmendatin: Lg any exceptin captured that will nt be thrwn t have a recrd f the event. CPP-VMG-008 R13_CPP-VMG-008 Recmmendatin: Set cntrls in place t ensure that the destinatin cntainer can address the element t be cpied withut lsing integrity in memcpy() peratins CPP-OOP-001 R14_CPP-OOP-001 Specific Slutin: Call a nnvirtual, private member functin frm cnstructrs, r destructrs instead f calling a virtual functin Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page 28 f
5.2. Priritisatin Once the severity f the findings fund during the cde review has been determined, the fllwing step in the methdlgy includes a priritisatin prcess and an actin plan definitin. This allws the stakehlders and prject wners t identify the mst urgent findings that need t be slved, allwing the planning f the fixes as part f the standard develpment cycle. Fr this purpse, the fllwing pririty sets have been established. The main cnsideratin is t slve the findings identified during this cde review in the shrt-term. The lw findings shuld be targeted in the mid-term, and finally the Infrmative findings d nt require any pririty. Thus, the fllwing graph has been generated: Figure 2: Pririty levels Shrt-term CBC-VMG-008 CBC-MEM-005 CBC-ENV-004 CBC-MSC-001 CPP-MSC-001 Mid-term SCD-FWK-001 SCD-VTY-002 CBC-VMG-023 Lng-term EHI-EHD-002 LOG-CFG-004 CPP-VMG-007 CPP-VMG-008 CPP-OOP-001 CPP-OOP-007 Reuse r reprductin authrised withut prejudice t the Cmmissin s r the authrs rights. Page f