CWE-306: Missing Authentication for Critical Function

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

As data is migrated to the cloud, if access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet.

Example Vulnerable Codes

Example - 1

In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application.



BankAccount account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance);return account;public BankAccount createBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) {}

However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects.

The following Java code includes a boolean variable and method for authenticating a user. If the user has not been authenticated then the createBankAccount will not create the bank account object.


// // authenticate user,// 
// // if user is authenticated then set variable to true// 
// // otherwise set variable to false// 
...


account = new BankAccount();account.setAccountNumber(accountNumber);account.setAccountType(accountType);account.setAccountOwnerName(accountName);account.setAccountOwnerSSN(accountSSN);account.setBalance(balance);
BankAccount account = null;if (isUserAuthentic) {}return account;private boolean isUserAuthentic = false;public boolean authenticateUser(String username, String password) {}public BankAccount createNewBankAccount(String accountNumber, String accountType,String accountName, String accountSSN, double balance) {}

Example - 2

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors did not use any authentication for critical functionality in their OT products.

Example - 3

In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.

A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295]

While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.

The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297]

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 21, 2024 11:55