Modes Of Introduction
Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
Operation
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Access Control | Gain Privileges or Assume Identity, Bypass Protection Mechanism | |
Observed Examples
References |
Description |
| When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS). |
| DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. |
| Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. |
| User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. |
| FTP service can not be disabled even when other access controls would require it. |
| Windows named pipe created without authentication/access control, allowing configuration modification. |
| Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address. |
Potential Mitigations
Phases : Architecture and Design
Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
NotesNotes
This can be primary to authentication errors, and resultant from unhandled error conditions.
Submission
Name |
Organization |
Date |
Date release |
Version |
PLOVER |
|
2006-07-19 +00:00 |
2006-07-19 +00:00 |
Draft 3 |
Modifications
Name |
Organization |
Date |
Comment |
Eric Dalci |
Cigital |
2008-07-01 +00:00 |
updated Potential_Mitigations, Time_of_Introduction |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Relationships, Relationship_Notes, Taxonomy_Mappings |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2012-10-30 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2013-07-17 +00:00 |
updated Applicable_Platforms, Potential_Mitigations, Relationships |
CWE Content Team |
MITRE |
2014-07-30 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Modes_of_Introduction, Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-08-20 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |
CWE Content Team |
MITRE |
2023-10-26 +00:00 |
updated Observed_Examples |
CWE Content Team |
MITRE |
2024-02-29 +00:00 |
updated Demonstrative_Examples |