CWE-291: Reliance on IP Address for Authentication

VariantIncompleteExploit Likelihood: High

The product uses an IP address for authentication.

View on MITRE
Back to CWE Lookup

Extended Description

IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-291: Reliance on IP Address for Authentication?+

CWE-291: Reliance on IP Address for Authentication is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses an IP address for authentication. IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

What are the security consequences of Reliance on IP Address for Authentication?+

If exploited, CWE-291 (Reliance on IP Address for Authentication) it can compromise Access Control and Non-Repudiation, leading to outcomes such as Hide Activities and Gain Privileges or Assume Identity.

How do you prevent or mitigate Reliance on IP Address for Authentication?+

Recommended mitigations for CWE-291 include: Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

Which programming languages are affected by Reliance on IP Address for Authentication?+

CWE-291 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Reliance on IP Address for Authentication?+

MITRE documents real CVEs mapped to CWE-291, including CVE-2022-30319. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-291 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More