This Message Is From an External Sender
This message originates outside of MITRE. If you feel this is suspicious, please report it via "Report Suspicious Email" button in Outlook.
> On Jan 8, 2024, at 6:43 AM, Przemyslaw Roguski <[email protected]> wrote: > > Hello Everyone and Happy New Year to all of you! > > David, in my opinion the CWE-1188: Initialization of a Resource with an Insecure Default describes your "insecure default" general use case pretty well. > See the extended description: > "Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it." > > We could update this weakness with a more descriptive description and we could update examples. I agree that CWE-1188 could be *rewritten* to become a general "insecure default". However, as written CWE-1188 is *not* clearly the same thing at all, and I think it'd be better to clearly identify a new CWE for this new (broader) category. When I want to know what a CWE really is, I look at its demonstrative example for clarification. The example describes a straight-up vulnerability in some PHP code when register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials. The problem, in this case, is that *attackers* can control the default value. You could disable register_globals, but you could *ALSO* rewrite the code as recommended so that attackers don't control the default value. The text of the CWE implies that the problem is that attackers can control the default value. (Using register_globals is still a terrible idea, but that's not relevant to this example.) Another clue that CWE-1188 isn't the general case is the extreme narrowness of its title. It says "Initialization of a Resource...". But resources are NOT relevant. I think what's needed is a CWE that says "Insecure Default" and NO OTHER TEXT IN THE TITLE. If there's additional text in its title, such as "initialization" or "resource", then that's different. This new CWE should cover ANY case where the default is insecure, including bad default passwords, bad default crypto algorithms/protocols, default passwords, insecure network protocols, and anything else where the default isn't the secure option. I don't think CWE-1188's scope should be changed so much as to be unrecognizable. There are many integers available for assignment :-). I think there needs to be a new CWE "Insecure Default". Once that's created, then CWE-1188 (& others) could be clarified as being specific examples of the more general case. It would be possible to generalize this existing CWE, but I fear that such a large change in meaning would be a problem. Again, the underlying issue is that modern systems are too complex to assume that people will configure it. Systems will, in almost all cases, do whatever the default is. If the default for "normal use" is insecure, then the software is insecure. --- David A. Wheeler
