ByteOS Network

CWE-284:Improper Access Control

Weakness ID:284

Version:v4.17

Weakness Name:Improper Access Control

Vulnerability Mapping:Discouraged

Abstraction:Pillar

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

▼Extended Description

Access control involves the use of several protection mechanisms such as:

Authentication (proving the identity of an actor)

Authorization (ensuring that a given actor can access a resource), and

Accountability (tracking of activities that were performed)

When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc.

There are two distinct behaviors that can introduce access control weaknesses:

Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator.

Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.

▼Alternate Terms

Authorization

The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	V	1000	Research Concepts
ParentOf	Allowed	B	1191	On-Chip Debug and Test Interface With Improper Access Control
ParentOf	Allowed	B	1220	Insufficient Granularity of Access Control
ParentOf	Allowed	B	1224	Improper Restriction of Write-Once Bit Fields
ParentOf	Allowed	B	1231	Improper Prevention of Lock Bit Modification
ParentOf	Allowed	B	1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
ParentOf	Allowed	B	1252	CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
ParentOf	Allowed	B	1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
ParentOf	Allowed	B	1262	Improper Access Control for Register Interface
ParentOf	Allowed	B	1259	Improper Restriction of Security Token Assignment
ParentOf	Allowed	B	1260	Improper Handling of Overlap Between Protected Memory Ranges
ParentOf	Allowed-with-Review	C	1263	Improper Physical Access Control
ParentOf	Allowed	B	1267	Policy Uses Obsolete Encoding
ParentOf	Allowed	B	1268	Policy Privileges are not Assigned Consistently Between Control and Data Agents
ParentOf	Allowed	B	1270	Generation of Incorrect Security Tokens
ParentOf	Allowed	B	1274	Improper Access Control for Volatile Memory Containing Boot Code
ParentOf	Allowed	B	1276	Hardware Child Block Incorrectly Connected to Parent System
ParentOf	Allowed	B	1280	Access Control Check Implemented After Asset is Accessed
ParentOf	Allowed	B	1283	Mutable Attestation or Measurement Reporting Data
ParentOf	Allowed	B	1290	Incorrect Decoding of Security Identifiers
ParentOf	Allowed	B	1292	Incorrect Conversion of Security Identifiers
ParentOf	Allowed-with-Review	C	1294	Insecure Security Identifier Mechanism
ParentOf	Allowed	B	1296	Incorrect Chaining or Granularity of Debug Components
ParentOf	Allowed	B	1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
ParentOf	Allowed	B	1311	Improper Translation of Security Attributes by Fabric Bridge
ParentOf	Allowed	B	1312	Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
ParentOf	Allowed	B	1313	Hardware Allows Activation of Test or Debug Logic at Runtime
ParentOf	Allowed	B	1315	Improper Setting of Bus Controlling Capability in Fabric End-point
ParentOf	Allowed	B	1316	Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
ParentOf	Allowed	B	1317	Improper Access Control in Fabric Bridge
ParentOf	Allowed	B	1320	Improper Protection for Outbound Error Messages and Alert Signals
ParentOf	Allowed	B	1323	Improper Management of Sensitive Trace Data
ParentOf	Allowed	B	1334	Unauthorized Error Injection Can Degrade Hardware Redundancy
ParentOf	Discouraged	C	269	Improper Privilege Management
ParentOf	Allowed-with-Review	C	282	Improper Ownership Management
ParentOf	Discouraged	C	285	Improper Authorization
ParentOf	Allowed-with-Review	C	286	Incorrect User Management
ParentOf	Discouraged	C	287	Improper Authentication
ParentOf	Allowed-with-Review	C	346	Origin Validation Error
ParentOf	Allowed	B	749	Exposed Dangerous Method or Function
ParentOf	Allowed-with-Review	C	923	Improper Restriction of Communication Channel to Intended Endpoints

Nature: MemberOf

Mapping: Prohibited

Type: View

ID: 1000

Name: Research Concepts

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1191

Name: On-Chip Debug and Test Interface With Improper Access Control

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1220

Name: Insufficient Granularity of Access Control

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1224

Name: Improper Restriction of Write-Once Bit Fields

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1231

Name: Improper Prevention of Lock Bit Modification

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1233

Name: Security-Sensitive Hardware Controls with Missing Lock Bit Protection

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1252

Name: CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1257

Name: Improper Access Control Applied to Mirrored or Aliased Memory Regions

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1262

Name: Improper Access Control for Register Interface

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1259

Name: Improper Restriction of Security Token Assignment

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1260

Name: Improper Handling of Overlap Between Protected Memory Ranges

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 1263

Name: Improper Physical Access Control

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1267

Name: Policy Uses Obsolete Encoding

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1268

Name: Policy Privileges are not Assigned Consistently Between Control and Data Agents

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1270

Name: Generation of Incorrect Security Tokens

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1274

Name: Improper Access Control for Volatile Memory Containing Boot Code

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1276

Name: Hardware Child Block Incorrectly Connected to Parent System

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1280

Name: Access Control Check Implemented After Asset is Accessed

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1283

Name: Mutable Attestation or Measurement Reporting Data

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1290

Name: Incorrect Decoding of Security Identifiers

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1292

Name: Incorrect Conversion of Security Identifiers

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 1294

Name: Insecure Security Identifier Mechanism

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1296

Name: Incorrect Chaining or Granularity of Debug Components

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1304

Name: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1311

Name: Improper Translation of Security Attributes by Fabric Bridge

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1312

Name: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1313

Name: Hardware Allows Activation of Test or Debug Logic at Runtime

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1315

Name: Improper Setting of Bus Controlling Capability in Fabric End-point

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1316

Name: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1317

Name: Improper Access Control in Fabric Bridge

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1320

Name: Improper Protection for Outbound Error Messages and Alert Signals

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1323

Name: Improper Management of Sensitive Trace Data

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1334

Name: Unauthorized Error Injection Can Degrade Hardware Redundancy

Nature: ParentOf

Mapping: Discouraged

Type: Class

ID: 269

Name: Improper Privilege Management

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 282

Name: Improper Ownership Management

Nature: ParentOf

Mapping: Discouraged

Type: Class

ID: 285

Name: Improper Authorization

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 286

Name: Incorrect User Management

Nature: ParentOf

Mapping: Discouraged

Type: Class

ID: 287

Name: Improper Authentication

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 346

Name: Origin Validation Error

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 749

Name: Exposed Dangerous Method or Function

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 923

Name: Improper Restriction of Communication Channel to Intended Endpoints

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	254	7PK - Security Features
MemberOf	Prohibited	C	723	OWASP Top Ten 2004 Category A2 - Broken Access Control
MemberOf	Prohibited	C	944	SFP Secondary Cluster: Access Management
MemberOf	Prohibited	C	1011	Authorize Actors
MemberOf	Prohibited	C	1031	OWASP Top Ten 2017 Category A5 - Broken Access Control
MemberOf	Prohibited	V	1340	CISQ Data Protection Measures
MemberOf	Prohibited	C	1345	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
MemberOf	Prohibited	C	1369	ICS Supply Chain: IT/OT Convergence/Expansion
MemberOf	Prohibited	C	1372	ICS Supply Chain: OT Counterfeit and Malicious Corruption
MemberOf	Prohibited	C	1396	Comprehensive Categorization: Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 254

Name: 7PK - Security Features

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 723

Name: OWASP Top Ten 2004 Category A2 - Broken Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 944

Name: SFP Secondary Cluster: Access Management

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1011

Name: Authorize Actors

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1031

Name: OWASP Top Ten 2017 Category A5 - Broken Access Control

Nature: MemberOf

Mapping: Prohibited

Type:View

ID: 1340

Name: CISQ Data Protection Measures

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1345

Name: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1369

Name: ICS Supply Chain: IT/OT Convergence/Expansion

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1372

Name: ICS Supply Chain: OT Counterfeit and Malicious Corruption

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1396

Name: Comprehensive Categorization: Access Control

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-280	Separation of Privilege Strategy
MemberOf	Prohibited	BS	BOSS-305	ICS/OT (technology class) Weaknesses
MemberOf	Prohibited	BS	BOSS-307	Not Technology-Specific (technology class) Weaknesses
MemberOf	Prohibited	BS	BOSS-326	Varies by Context (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-280

Name: Separation of Privilege Strategy

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-305

Name: ICS/OT (technology class) Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-307

Name: Not Technology-Specific (technology class) Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-326

Name: Varies by Context (impact)

▼Relevant To View

Relevant to the view"Architectural Concepts - (1008)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1011	Authorize Actors

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1011

Name: Authorize Actors

Relevant to the view"OWASP Top Ten (2021) - (1344)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1345	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1345

Name: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Relevant to the view"SEI ETF Categories of Security Vulnerabilities in ICS - (1358)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1369	ICS Supply Chain: IT/OT Convergence/Expansion

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1369

Name: ICS Supply Chain: IT/OT Convergence/Expansion

Relevant to the view"SEI ETF Categories of Security Vulnerabilities in ICS - (1358)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1372	ICS Supply Chain: OT Counterfeit and Malicious Corruption

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1372

Name: ICS Supply Chain: OT Counterfeit and Malicious Corruption

Relevant to the view"Seven Pernicious Kingdoms - (700)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	254	7PK - Security Features

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 254

Name: 7PK - Security Features

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	944	SFP Secondary Cluster: Access Management

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 944

Name: SFP Secondary Cluster: Access Management

▼Common Consequences

Scope	Likelihood	Impact	Note
Other	N/A	Varies by Context	N/A

Scope: Other

Likelihood: N/A

Impact: Varies by Context

Note:

N/A

▼Potential Mitigations

Phase:Architecture and Design, Operation

Mitigation ID: MIT-1

Description:

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase:Architecture and Design

Mitigation ID: MIT-46

Strategy: Separation of Privilege

Description:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

▼Modes Of Introduction

Phase: Architecture and Design

Note:

N/A

Phase: Implementation

Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Phase: Operation

Note:

N/A

▼Applicable Platforms

Technology

Class: Not Technology-Specific(Undetermined Prevalence)

Class: ICS/OT(Undetermined Prevalence)

▼Observed Examples

Reference	Description
CVE-2022-24985	A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
CVE-2022-29238	Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607	Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect
CVE-2021-21972	Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
CVE-2021-37415	IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
CVE-2021-35033	Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
CVE-2020-10263	Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
CVE-2020-13927	Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
CVE-2010-4624	Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.

Reference: CVE-2022-24985

Description:

A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms

Reference: CVE-2022-29238

Description:

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

Reference: CVE-2022-23607

Description:

Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect

Reference: CVE-2021-21972

Description:

Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.

Reference: CVE-2021-37415

Description:

IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.

Reference: CVE-2021-35033

Description:

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

Reference: CVE-2020-10263

Description:

Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access

Reference: CVE-2020-13927

Description:

Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.

Reference: CVE-2010-4624

Description:

Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.

▼Affected Resources

File or Directory

▼Vulnerability Mapping Notes

Usage:Discouraged

Reason:Frequent Misuse, Abstraction

Rationale:

CWE-284 is extremely high-level, a Pillar. Its name, "Improper Access Control," is often misused in low-information vulnerability reports [REF-1287] or by active use of the OWASP Top Ten, such as "A01:2021-Broken Access Control". It is not useful for trend analysis.

Comments:

Consider using descendants of CWE-284 that are more specific to the kind of access control involved, such as those involving authorization (Missing Authorization (CWE-862), Incorrect Authorization (CWE-863), Incorrect Permission Assignment for Critical Resource (CWE-732), etc.); authentication (Missing Authentication (CWE-306) or Weak Authentication (CWE-1390)); Incorrect User Management (CWE-286); Improper Restriction of Communication Channel to Intended Endpoints (CWE-923); etc.

Suggestions:

CWE-862:Missing Authorization

CWE-863:Incorrect Authorization

CWE-732:Incorrect Permission Assignment for Critical Resource

CWE-306:Missing Authentication

CWE-1390:Weak Authentication

CWE-923:Improper Restriction of Communication Channel to Intended Endpoints

▼Notes

Maintenance

This entry needs more work. Possible sub-categories include:

Trusted group includes undesired entities (partially covered by CWE-286)

Group can perform undesired actions

ACL parse error does not fail closed

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
PLOVER	N/A	N/A	Access Control List (ACL) errors
WASC	2	N/A	Insufficient Authorization
7 Pernicious Kingdoms	N/A	N/A	Missing Access Control

Taxonomy Name: PLOVER

Entry ID: N/A

Fit: N/A

Entry Name: Access Control List (ACL) errors

Taxonomy Name: WASC

Entry ID: 2

Fit: N/A

Entry Name: Insufficient Authorization

Taxonomy Name: 7 Pernicious Kingdoms

Entry ID: N/A

Fit: N/A

Entry Name: Missing Access Control

▼Related Attack Patterns

ID	Name
CAPEC-19	Embedding Scripts within Scripts
CAPEC-441	Malicious Logic Insertion
CAPEC-478	Modification of Windows Service Configuration
CAPEC-479	Malicious Root Certificate
CAPEC-502	Intent Spoof
CAPEC-503	WebView Exposure
CAPEC-536	Data Injected During Configuration
CAPEC-546	Incomplete Data Deletion in a Multi-Tenant Environment
CAPEC-550	Install New Service
CAPEC-551	Modify Existing Service
CAPEC-552	Install Rootkit
CAPEC-556	Replace File Extension Handlers
CAPEC-558	Replace Trusted Executable
CAPEC-562	Modify Shared File
CAPEC-563	Add Malicious File to Shared Webroot
CAPEC-564	Run Software at Logon
CAPEC-578	Disable Security Software