- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Lack of Administrator Control over Security [CWE-671]
Lack of Administrator Control over Security weakness describes a case where implemented security features do not grant administrators full control over product security.
Created: February 28, 2014
Latest Update: January 10, 2019
Table of Content
This weakness describes a situation where implemented security features prevent product’s administrators from changing security settings to reflect the environment. As a result, the product’s administrator is unable to perform desired actions beyond the implied bounds. This weakness can be introduced during design or implementation stages of product’s development process.
An example of this issue are hard-coded administrator’s credentials or hidden accounts. The product administrator is unable to change password or see a hidden account and therefore cannot prevent unauthorized access to the product. This exposes the product to outside threads, including developer of the product.
This weakness is usually spotted in firmware and software intended for multilevel access privileges. Exploitation of this weakness may result in complete control over the affected product but can require certain level of privileges within the application or a particular environment.
2. Potential impact
An attacker can leverage lack of administrative control to conceal presence of unwanted product’s features or other functionalities and e.g. place a backdoor, hidden administrative account, etc.
3. Affected software
Software that uses different security roles or contains security features can be affected by this weakness.
4. Severity and CVSS Scoring
This weakness is usually called a backdoor and is scored with the highest severity rating. Existence of hardcoded or hidden administrative account should be scored as:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) – Critical severity.
We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.
There is no general recommendations to mitigate this weakness. Existence of backdoor within an application requires immediate attention of security personnel. The following measures are recommended depending on type of possible threat and consequences of unauthorized access:
- Implement access restriction policies. If the product has access to untrusted networks use proper ACLs based on IP addresses, protocols, etc,
- Disconnect it immediately if product is a part of critical infrastructure,
- Monitor network connectivity to ensure no confidential information has been leaked and record all attempts to gain unauthorized access.
- CWE-671: Lack of Administrator Control over Security [cwe.mitre.org]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.↑ Back to Top