[Forgot Password]
Login  Register Subscribe

25354

 
 

132805

 
 

139226

 
 

909

 
 

113180

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Privilege Management

ID: 269Date: (C)2012-05-14   (M)2020-01-25
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Likelihood of Exploit: Medium

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
Operation
 
 Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
 
  
Architecture and Design
 
Separation of Privilege
 
Follow the principle of least privilege when assigning access rights to entities in a software system.
 
  
  Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
 
  

Relationships

Related CWETypeViewChain
CWE-269 ChildOf CWE-901 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2001-1555 : Terminal privileges are not reset when a user logs out.
  2. CVE-2001-1514 : Does not properly pass security context to child processes in certain cases, allows privilege escalation.
  3. CVE-2001-0128 : Does not properly compute roles.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Privilege Management Error
 
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 16: Executing Code With Too Much Privilege." Page 243'. Published on 2010.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Dropping Privileges Permanently", Page 479.'. Published on 2006.
CVE    532
CVE-2012-5376
CVE-2017-7489
CVE-2017-15906
CVE-2017-13721
...

© SecPod Technologies