logo

Incomplete Cleanup

Draft Base
Structure: Simple
Description

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Common Consequences 1
Scope: OtherConfidentialityIntegrity

Impact: OtherRead Application DataModify Application DataDoS: Resource Consumption (Other)

It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Architecture and DesignImplementation
Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.
Demonstrative Examples 1
Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect).

Code Example:

Bad
Java
java
Observed Examples 9
CVE-2000-0552World-readable temporary file not deleted after use.
CVE-2005-2293Temporary file not deleted after use, leaking database usernames and passwords.
CVE-2002-0788Interaction error creates a temporary file that can not be deleted due to strong permissions.
CVE-2002-2066Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2067Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2068Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2069Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2070Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2005-1744Users not logged out when application is restarted after security-relevant changes were made.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Alternate Terms

Insufficient Cleanup
Functional Areas
  1. File Processing
Related Weaknesses
ChildOf: Improper Resource Shutdown or Release (CWE-404)
ChildOf: Improper Resource Shutdown or Release (CWE-404)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2004
  • CERT C Secure Coding
  • CERT C Secure Coding
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns
Notes
RelationshipIncomplete Cleanup is a child of Improper Resource Shutdown or Release because, while Improper Resource Shutdown or Release covers any type of improper shutdown or release of a resource, Incomplete Cleanup deals specifically with a multi-step shutdown process in which a crucial step for "proper" cleanup is omitted or impossible. That is, Incomplete Cleanup deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.
RelationshipOverlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).