CWE-909 Classe Incompleto Medium likelihood

Missing Initialization of Resource

The software fails to properly set up a critical resource before using it.

Definição

What is CWE-909?

The software fails to properly set up a critical resource before using it.
Many system resources, like memory buffers, file handles, or configuration objects, need explicit setup before they're safe to use. When this initialization step is skipped, the resource may contain leftover data from previous operations, expired values, or system defaults that are invalid for your specific use case. This unpredictable state becomes a security problem when your code assumes the resource has specific, trustworthy properties. From a developer's perspective, this often happens when you allocate a resource but don't populate it with known, safe values. Attackers can exploit this by manipulating or predicting the uninitialized content, leading to information leaks, crashes, or unexpected program behavior. Always explicitly initialize all resources to a known, secure state, even if you think the system or compiler will do it for you.
Impacto no mundo real

Real-world CVEs caused by CWE-909

  • CVE-2020-20739

    A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage

  • CVE-2005-1036

    Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.

  2. 2

    The following code intends to limit certain operations to the administrator only.

  3. 3

    If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.

  4. 4

    The following code intends to concatenate a string to a variable and print the string.

  5. 5

    This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.

Exemplo de código vulnerável

Vulnerable Java

Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.

Vulnerável Java 
private boolean initialized = true;
  public void someMethod() {
  		if (!initialized) {
```
// perform initialization tasks* 
  				...
  				
  				initialized = true;}
Exemplo de código seguro

Secure C

When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:

Seguro C 
char *test_string = "Done at the beginning";
 if (i != err_val)
 {

```
  test_string = "Hello World!";
 }
 printf("%s", test_string);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-909

  • Implementation Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
  • Implementation Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
  • Implementation Avoid race conditions (CWE-362) during initialization routines.
  • Build and Compilation Run or compile your product with settings that generate warnings about uninitialized variables or data.
Sinais de deteção

How to detect CWE-909

SAST High

Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.

DAST Moderate

Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.

Runtime Moderate

Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.

Code review Moderate

Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-909 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-909?

The software fails to properly set up a critical resource before using it.

Qual a gravidade do CWE-909?

A MITRE classifica a probabilidade de exploração como Média — a exploração é realista mas normalmente requer condições específicas.

Que linguagens ou plataformas são afetadas pelo CWE-909?

A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.

Como posso prevenir o CWE-909?

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps. Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Como é que o Plexicus deteta e corrige o CWE-909?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-909 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-909?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/909.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-909

CWE-665 Pai

Improper Initialization

This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it…

CWE-1188 Irmão

Initialization of a Resource with an Insecure Default

This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…

CWE-1279 Irmão

Cryptographic Operations are run Before Supporting Units are Ready

This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…

CWE-1419 Irmão

Incorrect Initialization of Resource

This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…

CWE-1434 Irmão

Insecure Setting of Generative AI/ML Model Inference Parameters

This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…

CWE-455 Irmão

Non-exit on Failed Initialization

This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup…

CWE-456 Irmão

Missing Initialization of a Variable

This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…

CWE-457 Irmão

Use of Uninitialized Variable

This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…

CWE-770 Irmão

Allocation of Resources Without Limits or Throttling

This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo