{"@ID": "441", "@Name": "Unintended Proxy or Intermediary ('Confused Deputy')", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.", "Extended_Description": {"xhtml:p": ["If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.", "Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:"], "xhtml:ul": {"xhtml:li": ["The product runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component;", "The attacker is prevented from making the request directly to the target; and", "The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, hardware IP, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources."]}}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "610", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "668", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Alternate_Terms": {"Alternate_Term": {"Term": "Confused Deputy", "Description": "This weakness is sometimes referred to as the \"Confused deputy\" problem, in which an attacker misuses the authority of one victim (the \"confused deputy\") to use that victim's legitimate (restricted) capabilities to target another victim."}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}}, "Common_Consequences": {"Consequence": {"Scope": ["Non-Repudiation", "Access Control"], "Impact": ["Gain Privileges or Assume Identity", "Hide Activities", "Execute Unauthorized Code or Commands"]}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Enforce the use of strong mutual authentication mechanism between the two parties."}, {"Phase": "Architecture and Design", "Description": "Whenever a product is an intermediary or proxy for\n                   transactions between two other components, the proxy core\n                   should not drop the identity of the initiator of the\n                   transaction. The immutability of the identity of the\n                   initiator must be maintained and should be forwarded all the\n                   way to the target."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "A SoC contains a microcontroller (running ring-3\n                     (least trusted ring) code), a Memory Mapped Input Output\n                     (MMIO) mapped IP core (containing design-house secrets),\n                     and a Direct Memory Access (DMA) controller, among several\n                     other compute elements and peripherals. The SoC implements\n                     access control to protect the registers in the IP core\n                     (which registers store the design-house secrets) from\n                     malicious, ring-3 (least trusted ring) code executing on\n                     the microcontroller.  The DMA controller, however, is not\n                     blocked off from accessing the IP core for functional\n                     reasons.", "Example_Code": [{"@Nature": "Bad", "@Language": "Other", "#text": "The code in ring-3 (least trusted ring) of the\n                     microcontroller attempts to directly read the protected\n                     registers in IP core through MMIO transactions. However,\n                     this attempt is blocked due to the implemented access\n                     control. Now, the microcontroller configures the DMA core\n                     to transfer data from the protected registers to a memory\n                     region that it has access to. The DMA core, which is\n                     acting as an intermediary in this transaction, does not\n                     preserve the identity of the microcontroller and, instead,\n                     initiates a new transaction with its own identity. Since\n                     the DMA core has access, the transaction (and hence, the\n                     attack) is successful."}, {"@Nature": "Good", "@Language": "Other", "#text": "The DMA\n                     core forwards this transaction with the identity of the\n                     code executing on the microcontroller, which is the\n                     original initiator of the end-to-end transaction. Now the\n                     transaction is blocked, as a result of forwarding the\n                     identity of the true initiator which lacks the permission\n                     to access the confidential MMIO mapped IP core."}], "Body_Text": "The weakness here is that the intermediary or the\n                     proxy agent did not ensure the immutability of the\n                     identity of the microcontroller initiating the\n                     transaction."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-1999-0017", "Description": "FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-0017"}, {"Reference": "CVE-1999-0168", "Description": "RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-0168"}, {"Reference": "CVE-2005-0315", "Description": "FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-0315"}, {"Reference": "CVE-2002-1484", "Description": "Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1484"}, {"Reference": "CVE-2004-2061", "Description": "CGI script accepts and retrieves incoming URLs.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2061"}, {"Reference": "CVE-2001-1484", "Description": "Bounce attack allows access to TFTP from trusted side.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1484"}, {"Reference": "CVE-2010-1637", "Description": "Web-based mail program allows internal network scanning using a modified POP3 port number.", "Link": "https://www.cve.org/CVERecord?id=CVE-2010-1637"}, {"Reference": "CVE-2009-0037", "Description": "URL-downloading library automatically follows redirects to file:// and scp:// URLs", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0037"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Unintended proxy/intermediary"}, {"@Taxonomy_Name": "PLOVER", "Entry_Name": "Proxied Trusted Channel"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "32", "Entry_Name": "Routing Detour"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "219"}, {"@CAPEC_ID": "465"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-432"}, {"@External_Reference_ID": "REF-1125"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain."}, {"@Type": "Maintenance", "#text": "This could possibly be considered as an emergent resource."}, {"@Type": "Theoretical", "#text": "It could be argued that the \"confused deputy\" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-14", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "Per Intel Corporation suggestion, added language to be inclusive to hardware: updated Demonstrative_Examples, Description, Extended_Description, Applicable_Platforms, Potential_Mitigation, Common_Consequences, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Alternate_Terms, Relationships, Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Arun Kanuparthi, Hareesh Khattri, Parbati K. Manna", "Contribution_Organization": "Intel Corporation", "Contribution_Date": "2020-08-14", "Contribution_Comment": "Provided demonstrative example"}, "Previous_Entry_Name": {"@Date": "2013-02-21", "#text": "Unintended Proxy/Intermediary"}}}
