Modes Of Introduction
Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Access Control Non-Repudiation | Hide Activities, Gain Privileges or Assume Identity
Note: Malicious users can fake authentication information, impersonating any IP address. | |
Observed Examples
Reference |
Description |
CVE-2022-30319 | S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address. |
Potential Mitigations
Phases : Architecture and Design
Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.
Vulnerability Mapping Notes
Rationale : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Related Attack Patterns
CAPEC-ID |
Attack Pattern Name |
CAPEC-4 |
Using Alternative IP Address Encodings This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control. |
References
REF-18
The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf REF-1371
IP address spoofing
https://en.wikipedia.org/wiki/IP_address_spoofing
Submission
Name |
Organization |
Date |
Date Release |
Version |
CLASP |
|
2006-07-19 +00:00 |
2006-07-19 +00:00 |
Draft 3 |
Modifications
Name |
Organization |
Date |
Comment |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
CWE Content Team |
MITRE |
2010-02-16 +00:00 |
updated Description, Other_Notes |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences, Demonstrative_Examples |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Demonstrative_Examples, Relationships |
CWE Content Team |
MITRE |
2013-06-23 +00:00 |
Changed type from composite to weakness. |
CWE Content Team |
MITRE |
2013-07-17 +00:00 |
updated Applicable_Platforms, Description, Name, Relationships, Type |
CWE Content Team |
MITRE |
2014-02-18 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated References, Relationships |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |
CWE Content Team |
MITRE |
2023-10-26 +00:00 |
updated Observed_Examples, References |