CWE WEAKNESSES  /  CWE-306

CWE-306

Missing Authentication for Critical Function

What it is

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Impact

Mitigations

• [Architecture and Design]Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be ac
• [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
• [Architecture and Design]Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authenticati
• [Architecture and Design]Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
• [Implementation, System Configuration, Operation] When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

Real-world CVE examples

• CVE-2024-11680 — File-sharing PHP product does not check if user is logged in during requests for PHP library files under an includes/ directory, allowing configuration changes,
• CVE-2022-31260 — Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user t
• CVE-2022-29951 — TCP-based protocol in Programmable Logic Controller (PLC) has no authentication.
• CVE-2022-29952 — Condition Monitor firmware uses a protocol that does not require authentication.
• CVE-2022-30276 — SCADA-based protocol for bridging WAN and LAN traffic has no authentication.
• CVE-2022-30313 — Safety Instrumented System uses proprietary TCP protocols with no authentication.
• CVE-2022-30317 — Distributed Control System (DCS) uses a protocol that has no authentication.
• CVE-2021-21972 — Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences
• CVE-2020-10263 — Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
• CVE-2021-23147 — WiFi router does not require authentication for its UART port, allowing adversaries with physical access to execute commands as root
• CVE-2021-37415 — IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
• CVE-2020-13927 — Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →