CWE-1293 – Missing Source Correlation of Multiple Independent Data

Read Time:54 Second

Description

The software relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-654

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Gain Privileges or Assume Identity

An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle.

 

Potential Mitigations

Phase: Requirements

Description: 

Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources.

Phase: Implementation

Description: 

Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures.

CVE References