CWE-589: Call to Non-ubiquitous API
Learn about CWE-589 (Call to Non-ubiquitous API), its security impact, exploitation methods, and prevention guidelines.
What is Call to Non-ubiquitous API?
• Overview: Call to Non-ubiquitous API (CWE-589) occurs when a software product uses an API function that is not available across all versions of a target platform, leading to potential inconsistencies or failures in the software.
• Exploitation Methods:
- Attackers can exploit this vulnerability by targeting software that fails when it cannot find the expected API, potentially leading to denial of service.
- Common attack patterns include triggering code paths that rely on unavailable APIs, causing the application to crash or behave unexpectedly.
• Security Impact:
- Direct consequences include application crashes or denial of service when the application attempts to invoke a non-existent API.
- Potential cascading effects could involve security features not being applied, exposing the application to further vulnerabilities.
- Business impact includes loss of reliability, increased maintenance costs, and potential reputational damage if the application fails in production environments.
• Prevention Guidelines:
- Specific code-level fixes include checking for the availability of APIs at runtime and providing fallback mechanisms or alternative implementations.
- Security best practices involve avoiding deprecated or non-ubiquitous APIs and regularly updating code to use widely supported APIs.
- Recommended tools and frameworks include using static analysis tools to identify unsupported API calls and leveraging platform-specific guidelines to ensure compatibility.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified