Merge pull request #243 from raphaelahrens/rewrite_AC22

Replaced AC22 with AC23 and AC24
izar · May 28, 2024 · b4ac2e0 · b4ac2e0
2 parents b0c4388 + 283de31
commit b4ac2e0
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 5 deletions.
diff --git a/pytm/pytm.py b/pytm/pytm.py
@@ -818,9 +818,9 @@ def _add_threats(self):
             raise UIError(
                 e, f"while trying to open the the threat file ({self.threatsFile})."
             )
-
-        for i in threats_json:
-            TM._threats.append(Threat(**i))
+        active_threats = (threat for threat in threats_json if "DEPRECATED" not in threat)
+        for threat in active_threats:
+            TM._threats.append(Threat(**threat))
 
     def resolve(self):
         finding_count = 0

diff --git a/pytm/threatlib/threats.json b/pytm/threatlib/threats.json
@@ -1560,6 +1560,7 @@
   },
   {
     "SID": "AC22",
+    "DEPRECATED": "AC22 was replaced by AC23 and AC24. Forcing short lived credentials by rotating the credentials regularly is no longer recommended. It better to go for long living strong credentials, which can be easily replaced, when a disclosure has happend.",
     "target": [
       "Dataflow"
     ],
@@ -1572,5 +1573,35 @@
     "mitigations": "All passwords and other credentials should have a relatively short expiration date with a possibility to be revoked immediately under special circumstances.",
     "example": "",
     "references": "https://cwe.mitre.org/data/definitions/262.html, https://cwe.mitre.org/data/definitions/263.html, https://cwe.mitre.org/data/definitions/798.html"
+  },
+  {
+    "SID": "AC23",
+    "target": [
+      "Dataflow"
+    ],
+    "description": "Credentials Disclosure",
+    "details": "If credentials (passwords or certificates) have a long lifetime their disclosure can have severe consequences, if the credentials cannot quickly be revoked and/or rotated.",
+    "Likelihood Of Attack": "Medium",
+    "severity": "High",
+    "prerequisites": "",
+    "condition": "any(d.isCredentials for d in target.data) and target.sink.inScope and any(d.credentialsLife in (Lifetime.UNKNOWN, Lifetime.LONG, Lifetime.MANUAL) for d in target.data)",
+    "mitigations": "Long living credentials need to have high entropy and length to be future proof, especially if it is unknwon how long these credentials will be used. Further should there be a mechanism to revoke the credentials immediately if a disclosure is suspected. To detect disclosure of the credentials their use should be monitored for suspicions activity.",
+    "example": "",
+    "references": "https://pages.nist.gov/800-63-3/sp800-63b.html#sec6"
+  },
+  {
+    "SID": "AC24",
+    "target": [
+      "Dataflow"
+    ],
+    "description": "Use of hardcoded credentials",
+    "details": "Hardcoded credentials (password or certificates) cannot be changed and if these credentials are dislcosed they can be used by attackers to bypass the authentication mechanism.",
+    "Likelihood Of Attack": "High",
+    "severity": "Very High",
+    "prerequisites": "",
+    "condition": "any(d.isCredentials for d in target.data) and target.sink.inScope and any(d.credentialsLife == Lifetime.HARDCODED for d in target.data)",
+    "mitigations": "Avoid hardcoded credentials. If you have to use hardcoded credentials make is possible to change the credentials or to deactivate them. A typical design is to use a \"first login\"-mode which forces the user to create new credentials, on the first login. If the credentials cannot be changed the sole actions in prodcution for the defender is to deactivate/remove the effected product.",
+    "example": "",
+    "references": "https://cwe.mitre.org/data/definitions/798.html, https://cwe.mitre.org/data/definitions/259.html, https://cwe.mitre.org/data/definitions/321.html"
   }
 ]
diff --git a/tests/test_pytmfunc.py b/tests/test_pytmfunc.py
@@ -1462,7 +1462,19 @@ def test_AC21(self):
         threat = threats["AC21"]
         self.assertTrue(threat.apply(process1))
 
-    def test_AC22(self):
+    def test_AC23(self):
+        user = Actor("User")
+        web = Server("Web Server")
+        user_to_web = Dataflow(user, web, "User enters comments (*)")
+        user_to_web.data = Data(
+            "password", isCredentials=True, credentialsLife=Lifetime.LONG
+        )
+        user_to_web.protocol = "HTTPS"
+        user_to_web.controls.isEncrypted = True
+        threat = threats["AC23"]
+        self.assertTrue(threat.apply(user_to_web))
+
+    def test_AC24(self):
         user = Actor("User")
         web = Server("Web Server")
         user_to_web = Dataflow(user, web, "User enters comments (*)")
@@ -1471,7 +1483,7 @@ def test_AC22(self):
         )
         user_to_web.protocol = "HTTPS"
         user_to_web.controls.isEncrypted = True
-        threat = threats["AC22"]
+        threat = threats["AC24"]
         self.assertTrue(threat.apply(user_to_web))
 
     def test_DR01(self):