CWE-1280: Access Control Check Implemented After Asset is Accessed

ID CWE-1280

Abstraction Base

Structure Simple

Status Incomplete

A product's hardware-based access control check occurs after the asset has been accessed.

The product implements a hardware-based access control check. The asset should be accessible only after the check is successful. If, however, this operation is not atomic and the asset is accessed before the check is complete, the security of the system may be compromised.

Modes of Introduction

Phase	Note
Implementation

Applicable Platforms

Type	Class	Name
Language		Verilog
Language		VHDL
Language	Not Language-Specific
Operating_system	Not OS-Specific
Architecture	Not Architecture-Specific
Technology	Not Technology-Specific

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-696	Incorrect Behavior Order	Class	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-284	Improper Access Control	Pillar	Simple	Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org

# ID	Name	Weaknesses
CAPEC-180	Exploiting Incorrectly Configured Access Control Security Levels	CWE-1280