CWE-657 Détail

CWE-657

Nom

Violation of Secure Design Principles

Statut

Draft

Publié

2008-01-30
00h00 +00:00

Modifié

2024-02-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Violation of Secure Design Principles

The product violates well-established principles for secure design.

Description du CWE

This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems.

Informations générales

Modes d'introduction

Architecture and Design
Implementation
Operation

Conséquences courantes

Portée	Impact	Probabilité
Other	Other

Exemples observés

Références	Description
CVE-2019-6260	Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].
CVE-2007-5277	The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional."
CVE-2006-7142	Hard-coded cryptographic key stored in executable program.
CVE-2007-0408	Server does not properly validate client certificates when reusing cached connections.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

NotesNotes

The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.

Références

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-546

Design Principles
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20220126060046/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/design-principles

REF-542

RFC: 793, TRANSMISSION CONTROL PROTOCOL
Jon Postel, Editor.
https://www.ietf.org/rfc/rfc0793.txt

REF-1138

CVE-2019-6260: Gaining control of BMC from the host processor
Stewart Smith.
https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/

REF-1314

ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01

REF-1315

Unleashing Mayhem over Bluetooth Low Energy
Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang, Singapore University of Technology and Design.
https://asset-group.github.io/disclosures/sweyntooth/

Soumission

Nom	Organisation	Date	Date de publication	Version
CWE Community		2008-01-30 +00:00	2008-01-30 +00:00	Draft 8

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated References
CWE Content Team	MITRE	2023-01-31 +00:00	updated Maintenance_Notes, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples, Observed_Examples, References
CWE Content Team	MITRE	2024-02-29 +00:00	updated Mapping_Notes

Détail du CWE-657