VariantDraft

CWE-782Exposed IOCTL with Insufficient Access Control

Category: other

Description

The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

Common consequences· 1

  • Integrity / Availability / Confidentiality — Varies by Context
    Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data.

Potential mitigations· 1

  • [Architecture and Design]In Windows environments, use proper access control for the associated device or device namespace. See References.

References

  1. https://cwe.mitre.org/data/definitions/782.html

Compliance frameworks addressing this (incoming)1

TypeTargetConfidenceTier
ComplianceControlcis_v8-8100%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryDell dbutil Driver Insufficient Access Control Vulnerabilitykev-cve-2021-215510%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Access Control for Register Interface
CWE
Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE
Improper Restriction of Software Interfaces to Hardware Features
CWE
Incorrect Use of Privileged APIs
CWE
Internal Asset Exposed to Unsafe Debug Access Level or State
CWE
Improper Prevention of Lock Bit Modification
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.