CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Lack of Administrator Control over Security [CWE-671]

This weakness describes a case where implemented security features do not grant administrators full control over product security.

Created: February 28, 2014
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Severity and CVSS Scoring
  5. Mitigations
  6. References

1. Description

This weakness describes a situation where implemented security features prevent product’s administrators from changing security settings to reflect the environment. As a result, the product’s administrator is unable to perform desired actions beyond the implied bounds. This weakness can be introduced during design or implementation stages of product’s development process.

An example of this issue are hard-coded administrator’s credentials or hidden accounts. The product administrator is unable to change password or see a hidden account and therefore cannot prevent unauthorized access to the product. This exposes the product to outside threads, including developer of the product.

This weakness is usually spotted in firmware and software intended for multilevel access privileges. Exploitation of this weakness may result in complete control over the affected product but can require certain level of privileges within the application or a particular environment.

2. Potential impact

An attacker can leverage lack of administrative control to conceal presence of unwanted product’s features or other functionalities and e.g. place a backdoor, hidden administrative account, etc.

3. Affected software

Software that uses different security roles or contains security features can be affected by this weakness.

4. Severity and CVSS Scoring

This weakness is usually called a backdoor and is scored with the highest severity rating. Existence of hardcoded or hidden administrative account should be scored as:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) – Critical severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

5. Mitigations

There is no general recommendations to mitigate this weakness. Existence of backdoor within an application requires immediate attention of security personnel. The following measures are recommended depending on type of possible threat and consequences of unauthorized access:

  1. Implement access restriction policies. If the product has access to untrusted networks use proper ACLs based on IP addresses, protocols, etc,
  2. Disconnect it immediately if product is a part of critical infrastructure,
  3. Monitor network connectivity to ensure no confidential information has been leaked and record all attempts to gain unauthorized access.
  4. 6. References

    1. CWE-671: Lack of Administrator Control over Security [cwe.mitre.org]

    Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

    ↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk