Title

The application must not be vulnerable to race conditions. (Cat II impact)

Discussion

A race condition is a timing event within an application that can become a security vulnerability. A race condition can occur when a pair of programming calls operating simultaneously do not work in a sequential or coordinated manner. A race condition is a timing event within software that can become a security vulnerability if the calls are not performed in the correct order. There are different types of race conditions and they are dependent upon the action that the application is undertaking when the race condition occurs. Some examples of race conditions include but are not limited to: - Time of check, time of use: the time in which a given resource is checked, and the time that resource is used. - Thread based: two threads of execution use a resource simultaneously, resource may be invalid when used. - Switch based: variable switches values while switch statement is in progress. Developers must be cognizant of programming sequence and use sanity checks to validate data prior to acting upon it. A code review or a static code analysis is the method used to identify race conditions.

Check Content

Review the application documentation and architecture. If the application is a COTS application and the vendor will not provide code review test results that demonstrate the application has been tested and is not susceptible to race conditions, the requirement is NA. Interview the application admin and identify the most recent code testing and analysis that has been conducted. Review the test results; verify configuration of analysis tools are set to check for the existence of race conditions. If race conditions are identified in the test results, verify the latest test results are being used, if not, ensure remediation has been completed. If the test results show race conditions exist and no remediation evidence is presented, or if test results are not available, this is a finding.

Fix Text

Be aware of potential timing issues related to application programming calls when designing and building the application. Validate that variable values do not change while a switch event is occurring.

Additional Identifiers

Rule ID: SV-222567r879887_rule

Vulnerability ID: V-222567

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.