Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-441 (未有动机的代理或中间人(混淆代理)) — Vulnerability Class 33

33 vulnerabilities classified as CWE-441 (未有动机的代理或中间人(混淆代理)). AI Chinese analysis included.

CWE-441 represents a design flaw where a system acts as an unintended intermediary, failing to preserve the original requestor’s identity when forwarding messages to external actors. This weakness allows attackers to exploit the system by manipulating upstream components to issue malicious requests that appear to originate from the trusted application itself. Consequently, the vulnerable software performs actions on behalf of the attacker, potentially bypassing access controls or triggering unintended side effects within protected resources. To mitigate this risk, developers must implement robust identity preservation mechanisms, such as cryptographic signing or secure token passing, ensuring that the true source of every request is explicitly validated and maintained throughout the communication chain. By strictly enforcing source authentication and avoiding blind forwarding, organizations can prevent their systems from being coerced into acting as confused deputies for unauthorized operations.

MITRE CWE Description
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker. Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when: The product runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component; The attacker is prevented from making the request directly to the target; and The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, hardware IP, or service. Or, the request might be sent to an allo…
Common Consequences (1)
Non-Repudiation, Access ControlGain Privileges or Assume Identity, Hide Activities, Execute Unauthorized Code or Commands
Mitigations (2)
Architecture and DesignEnforce the use of strong mutual authentication mechanism between the two parties.
Architecture and DesignWhenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.
Examples (1)
A SoC contains a microcontroller (running ring-3 (least trusted ring) code), a Memory Mapped Input Output (MMIO) mapped IP core (containing design-house secrets), and a Direct Memory Access (DMA) controller, among several other compute elements and peripherals. The SoC implements access control…
The code in ring-3 (least trusted ring) of the
                     microcontroller attempts to directly read the protected
                     registers in IP core through MMIO transactions. However,
                     this attempt is blocked due to the implemented access
                     control. Now, the microcontroller configures the DMA core
                     to transfer data from the protected registers to a memory
                     region that it has access to. The DMA core, which is
                     acting as an intermediary in this transaction, does not
Bad · Other
The DMA
                     core forwards this transaction with the identity of the
                     code executing on the microcontroller, which is the
                     original initiator of the end-to-end transaction. Now the
                     transaction is blocked, as a result of forwarding the
                     identity of the true initiator which lacks the permission
                     to access the confidential MMIO mapped IP core.
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2019-3996 ELOG 安全漏洞 — ELOG 5.3 -2019-12-17
CVE-2019-1841 Cisco DNA Center Unintended Proxy Via SWIM Import Interface Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 8.1 -2019-04-18
CVE-2019-3924 MikroTik RouterOS 安全漏洞 — MikroTik RouterOS 9.1 -2019-02-20

Vulnerabilities classified as CWE-441 (未有动机的代理或中间人(混淆代理)) represent 33 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.