Description
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
Consequences
Access Control, Other: Gain Privileges or Assume Identity, Other
Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.
Potential Mitigations
Phase: Architecture and Design
Description:
Phase: Architecture and Design
Description:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase: Architecture and Design
Description:
Phase: Architecture and Design
Description:
CVE References
- CVE-2002-1810
- MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information.
- CVE-2008-6827
- Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter” attack.
- CVE-2004-0213
- Product enforces restrictions through a GUI but not through privileged APIs.
- CVE-2020-15483
- monitor device allows access to physical UART debug port without authentication
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...