[Forgot Password]
Login  Register Subscribe

26408

 
 

132812

 
 

152126

 
 

909

 
 

121618

 
 

163

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Privilege Management

ID: 269Date: (C)2012-05-14   (M)2020-10-19
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Likelihood of Exploit: Medium

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
Operation
 
 Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
 
  
Architecture and Design
 
Separation of Privilege
 
Follow the principle of least privilege when assigning access rights to entities in a software system.
 
  
  Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
 
  

Relationships

Related CWETypeViewChain
CWE-269 ChildOf CWE-901 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2001-1555 : Terminal privileges are not reset when a user logs out.
  2. CVE-2001-1514 : Does not properly pass security context to child processes in certain cases, allows privilege escalation.
  3. CVE-2001-0128 : Does not properly compute roles.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Privilege Management Error
 
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 16: Executing Code With Too Much Privilege." Page 243'. Published on 2010.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Dropping Privileges Permanently", Page 479.'. Published on 2006.
CVE    1332
CVE-2013-7421
CVE-2014-9644
CVE-2019-16777
CVE-2008-2931
...

© SecPod Technologies