HoT-TAI-0007: Weak Access Controls

Summary:

CWE-284 Improper Access Control: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Access control involves the use of several protection mechanisms such as authentication (proving the identity of an actor) authorization (ensuring that a given actor can access aresource), and accountability (tracking of activities that were performed). When any mechanism is not applied or otherwise fails, attackers can compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc.

There are two distinct behaviors that can introduce access control weaknesses:

• Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator.

• Enforcement:the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intendedsecurity policythat the administrator specifies.

See also: "HoT-TAI-0014: Privilege escalation" (CWE-269 Improper Privilege Management)

Estimated Overall Risk Assessment: HIGH

• Technical Impacts: VARIES BY CONTEXT

  • Weak access controls could allow an attacker to gain access to sensitive information including passwords, device information, or user data.

• Business Impacts: HIGH

  • Data confidentiality, integrity, and availability could be compromised. An attacker could gain control over the IoT device and could establish a foothold within your network for further actions-on-objective (e.g. further exploitation of internal network OR to utilize the IoT device as part of a botnet to launch attacks against national critical infrastructure).

• Detectability: EASY

• Prevalence: TBD

• Exploitability: EASY

Attack Surfaces Grouped By Layer of Cyberspace

• Physical Network Layer
  • Device Firmware
  • Device Network Services
  • Administrative Interface
  • Device Web Interface
  • Mobile Application
  • Update Mechanism
• Logical Network Layer
  • Vendor Backend APIs
  • 3rd Party Backend APIs
  • Cloud Web Interface

Known Intrusion / Exploit / Attack Cases and Threats

TBD

Identify, Detect, Protect, Respond, and Recover (NIST FICIC)

This vulnerability page (and some information contained in the associated attack page) address the following:

• IDENTIFY-RISK ASSESSMENT (ID.RA)

  • ID.RA-1: Asset vulnerabilities are identified and documented
    • See "Analysis Tools and Training" below.
  • ID.RA-2: Cyber threat intelligence and vulnerability information is received from information sharing forums and sources
  • ID.RA-3: Threats, both internal and external are identified and documented
  • ID.RA-4: Potential business impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
  • IS.RA-6: Risk responses are identified and prioritized

• PROTECT-Information Protection Processes and Procedures (PR.IP)

  • PR.IP-12: A vulnerability management plan is developed and implemented

• DETECT-Anomalies and Events (DE.AE)

  • DE.AE-2: Detected events are analyzed to understand attack targets and methods

• DETECT-Security Continuous Monitoring (DE.CM)

  • DE.CM-1: The network is monitored to detect potential cybersecurity events

Analysis Tools and Training

See "HoT-TAI-0014: Privilege escalation" (CWE-269 Improper Privilege Management)

Associated CVEs / Manufacturers / Devices

Use this link to identify the latest access control vulnerabilities. This search query is not specific to the IoT.

References

TBD