CWE-15: External Control of System or Configuration Setting
Learn about CWE-15 (External Control of System or Configuration Setting), its security impact, exploitation methods, and prevention guidelines.
What is External Control of System or Configuration Setting?
• Overview: External Control of System or Configuration Setting (CWE-15) occurs when a user can manipulate system settings or configuration elements that should not be externally accessible, leading to potential disruptions or malicious behavior in an application.
• Exploitation Methods:
- Attackers can manipulate configuration files or system settings remotely if these are inadequately protected.
- Common attack patterns include altering environment variables, modifying configuration files, or using APIs that allow setting changes.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized changes to system behavior or service outages.
- Potential cascading effects might involve data corruption, security policy violations, or further exploitation due to altered security settings.
- Business impact could range from service disruption, loss of customer trust, to financial loss due to operational downtime or data breaches.
• Prevention Guidelines:
- Specific code-level fixes include validating and sanitizing all inputs that can alter configuration settings.
- Security best practices involve restricting access to configuration settings, employing principle of least privilege, and ensuring sensitive settings are not externally modifiable.
- Recommended tools and frameworks include using configuration management tools that enforce access controls, and employing security scanning tools to detect potential vulnerabilities.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not Technology-Specific, ICS/OT