CWE-657 Detail

CWE-657

Name

Violation of Secure Design Principles

Status

Draft

Published

2008-01-30
00h00 +00:00

Modified

2024-02-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Violation of Secure Design Principles

The product violates well-established principles for secure design.

CWE Description

This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems.

General Informations

Modes Of Introduction

Architecture and Design
Implementation
Operation

Common Consequences

Scope	Impact	Likelihood
Other	Other

Observed Examples

References	Description
CVE-2019-6260	Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].
CVE-2007-5277	The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional."
CVE-2006-7142	Hard-coded cryptographic key stored in executable program.
CVE-2007-0408	Server does not properly validate client certificates when reusing cached connections.

Vulnerability Mapping Notes

Justification : This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

NotesNotes

The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.

References

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-546

Design Principles
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20220126060046/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/design-principles

REF-542

RFC: 793, TRANSMISSION CONTROL PROTOCOL
Jon Postel, Editor.
https://www.ietf.org/rfc/rfc0793.txt

REF-1138

CVE-2019-6260: Gaining control of BMC from the host processor
Stewart Smith.
https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/

REF-1314

ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01

REF-1315

Unleashing Mayhem over Bluetooth Low Energy
Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang, Singapore University of Technology and Design.
https://asset-group.github.io/disclosures/sweyntooth/

Submission

Name	Organization	Date	Date release	Version
CWE Community		2008-01-30 +00:00	2008-01-30 +00:00	Draft 8

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated References
CWE Content Team	MITRE	2023-01-31 +00:00	updated Maintenance_Notes, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples, Observed_Examples, References
CWE Content Team	MITRE	2024-02-29 +00:00	updated Mapping_Notes