CWE-494: Download of Code Without Integrity Check
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
扩展描述
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
常见后果
影响范围: Integrity Availability Confidentiality Other
技术影响: Execute Unauthorized Code or Commands Alter Execution Logic Other
说明: Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.
潜在缓解措施
阶段: Implementation
描述: Perform proper forward and reverse DNS lookups to detect DNS spoofing.
阶段: Architecture and Design Operation
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design Operation
策略: Environment Hardening
描述: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
阶段: Architecture and Design Operation
策略: Sandbox or Jail
有效性: Limited
检测方法
方法: Manual Analysis
方法: Black Box
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2019-9534
Satellite phone does not validate its firmware image.
参考: CVE-2021-22909
Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
参考: CVE-2008-3438
OS does not verify authenticity of its own updates.
参考: CVE-2008-3324
online poker client does not verify authenticity of its own updates.
参考: CVE-2001-1125
anti-virus product does not verify automatic updates for itself.
参考: CVE-2002-0671
VOIP phone downloads applications from web sites without verifying integrity.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Invoking untrusted mobile code | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SEC06-J | Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar | - |
| Software Fault Patterns | SFP27 | Tainted input to environment | - |
关键信息
CWE ID: CWE-494
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: Medium