Détail du CWE-1188

CWE-1188

Initialization of a Resource with an Insecure Default
Incomplete
2019-06-20
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

Description du CWE

Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.

Informations générales

Exemples observés

Références Description

CVE-2022-36349

insecure default variable initialization in BIOS firmware for a hardware board allows DoS

CVE-2022-42467

A generic database browser interface has a default mode that exposes a web server to the network, allowing queries to the database.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID Nom du modèle d'attaque
CAPEC-665 Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

NotesNotes

This entry improves organization of concepts under initialization. The typical CWE model is to cover "Missing" and "Incorrect" behaviors. Arguably, this entry could be named as "Incorrect" instead of "Insecure." This might be changed in the near future.

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2019-03-25 +00:00 2019-06-20 +00:00 3.3

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-07-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Demonstrative_Examples, Name, Observed_Examples, Relationships