CWE-1390¶
Weak Authentication. [Improper-Access-Control]
Required inputs: IR
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Demonstrative Examples
Example 1
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple OT products used weak authentication.
Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
assignment |
Assigning a literal to a variable holding a password. |
None |
False |
comparison |
Comparing a literal to a password. |
None |
False |
key |
The string literal might include a private key. |
None |
False |
parameter |
Passing a literal to a password parameter. |
None |
False |
return |
Returning a literal as a password. |
None |
False |
Options¶
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
critical_routines_pattern¶
critical_routines_pattern : typing.Pattern[str] = 'authenticate'
key_detection_pattern¶
key_detection_pattern : typing.Pattern[str] = 'BEGIN (.*) PRIVATE KEY'
suspect_detection_pattern¶
suspect_detection_pattern : typing.Pattern[str] = 'password'