CAPEC-121: Exploit Non-Production Interfaces
An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.
Non-production interfaces are insecure by default and should not be resident on production systems, since they may reveal sensitive information or functionality that should not be known to end-users. However, such interfaces may be unintentionally left enabled on a production system due to configuration errors, supply chain mismanagement, or other pre-deployment activities.
Ultimately, failure to properly disable non-production interfaces, in a production environment, may expose a great deal of diagnostic information or functionality to an adversary, which can be utilized to further refine their attack. Moreover, many non-production interfaces do not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may contain many flaws and vulnerabilities that could allow an adversary to severely disrupt a target.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-489 | Active Debug Code | weakness |
| CWE-1209 | Failure to Disable Reserved Bits | weakness |
| CWE-1259 | Improper Restriction of Security Token Assignment | weakness |
| CWE-1267 | Policy Uses Obsolete Encoding | weakness |
| CWE-1270 | Generation of Incorrect Security Tokens | weakness |
| CWE-1294 | Insecure Security Identifier Mechanism | weakness |
| CWE-1295 | Debug Messages Revealing Unnecessary Information | weakness |
| CWE-1296 | Incorrect Chaining or Granularity of Debug Components | weakness |
| CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) | weakness |
| CWE-1313 | Hardware Allows Activation of Test or Debug Logic at Runtime | weakness |