Inefficient Algorithmic Complexity
Incomplete Class
Structure: Simple
Description
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Common Consequences 1
Scope: Availability
Impact: DoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)DoS: Resource Consumption (Other)
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
Demonstrative Examples 1
ID : DX-158
This example attempts to check if an input string is a "sentence" [REF-1164].Code Example:
Bad
JavaScript
var test_string = "Bad characters: $@#"; var bad_pattern = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.
To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
Code Example:
Good
JavaScript
var test_string = "Bad characters: $@#"; var good_pattern = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.
Observed Examples 14
CVE-2021-32617C++ library for image metadata has "quadratic complexity" issue with unnecessarily repetitive parsing each time an invalid character is encountered
CVE-2020-10735Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2014-1474Perl-based email address parser has "quadratic complexity" issue via a string that does not contain a valid address
CVE-2003-0244CPU consumption via inputs that cause many hash table collisions.
CVE-2003-0364CPU consumption via inputs that cause many hash table collisions.
CVE-2002-1203Product performs unnecessary processing before dropping an invalid packet.
CVE-2001-1501CPU and memory consumption using many wildcards.
CVE-2004-2527Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.
CVE-2006-6931Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack."
CVE-2006-3380Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2006-3379Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2005-2506OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.
CVE-2005-1792Memory leak by performing actions faster than the software can clear them.
References 2
Algorithmic Complexity Attacks
Scott A. Crosby and Dan S. Wallach
Proceedings of the 12th USENIX Security Symposium
08-2003
ID: REF-395
Catastrophic backtracking
Ilya Kantor
13-12-2020
ID: REF-1164
Likelihood of Exploit
Low
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms
Quadratic Complexity
Used when the algorithmic complexity is related to the square of the number of inputs (N^2)Functional Areas
- Cryptography
Related Weaknesses
Taxonomy Mapping
- PLOVER