CWE-636 Détail

CWE-636

Nom

Not Failing Securely ('Failing Open')

Statut

Draft

Publié

2008-01-30
00h00 +00:00

Modifié

2023-10-26
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

Description du CWE

By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."

Informations générales

Modes d'introduction

Architecture and Design
Implementation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Class: ICS/OT (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Access Control	Bypass Protection Mechanism Note: Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects.

Exemples observés

Références	Description
CVE-2007-5277	The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional."
CVE-2006-4407	Incorrect prioritization leads to the selection of a weaker cipher. Although it is not known whether this issue occurred in implementation or design, it is feasible that a poorly designed algorithm could be a factor.

Mesures d’atténuation potentielles

Phases : Architecture and Design
Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

NotesNotes

Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).

Références

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-522

Failing Securely
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20221017053210/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/failing-securely

Soumission

Nom	Organisation	Date	Date de publication	Version
Pascal Meunier	Purdue University	2008-01-18 +00:00	2008-01-30 +00:00	Draft 8

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team	MITRE	2009-01-12 +00:00	updated Description, Name
CWE Content Team	MITRE	2009-03-10 +00:00	updated Relationships
CWE Content Team	MITRE	2009-05-27 +00:00	updated Name
CWE Content Team	MITRE	2010-12-13 +00:00	updated Research_Gaps
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Causal_Nature, Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2022-04-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated References
CWE Content Team	MITRE	2023-01-31 +00:00	updated Applicable_Platforms
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples

Détail du CWE-636