The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
N/A
Threat Mapped score: 1.8
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2024-11680 — KEV
File-sharing PHP product does not check if user is logged in during requests for PHP library files under an includes/ directory, allowing configuration changes, code execution, and other impacts.
CVE: CVE-2022-31260
Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user to export metadata (CWE-306)
CVE: CVE-2022-29951
TCP-based protocol in Programmable Logic Controller (PLC) has no authentication.
CVE: CVE-2022-29952
Condition Monitor firmware uses a protocol that does not require authentication.
CVE: CVE-2022-30276
SCADA-based protocol for bridging WAN and LAN traffic has no authentication.
CVE: CVE-2022-30313
Safety Instrumented System uses proprietary TCP protocols with no authentication.
CVE: CVE-2022-30317
Distributed Control System (DCS) uses a protocol that has no authentication.
CVE: CVE-2021-21972 — KEV
Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
CVE: CVE-2020-10263
Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
CVE: CVE-2021-23147
WiFi router does not require authentication for its UART port, allowing adversaries with physical access to execute commands as root
CVE: CVE-2021-37415 — KEV
IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
CVE: CVE-2020-13927 — KEV
Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
CVE: CVE-2002-1810
MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information.
CVE: CVE-2008-6827
Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack.
CVE: CVE-2004-0213
Product enforces restrictions through a GUI but not through privileged APIs.
CVE: CVE-2020-15483
monitor device allows access to physical UART debug port without authentication
CVE: CVE-2019-9201
Programmable Logic Controller (PLC) does not have an authentication feature on its communication protocols.
N/A
| Phase | Note |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Architecture and Design | Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. |
| Operation | When migrating data to the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), there is a risk of losing the protections that were originally provided by hosting on internal networks. If access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet. |
Intro: In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application.
Body: However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects.
public BankAccount createBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountSSN); account.setBalance(balance); return account; }Intro: In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Body: Multiple vendors did not use any authentication for critical functionality in their OT products.
Intro: In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.
Body: While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295]