CWE-268 – Privilege Chaining

Read Time:1 Minute, 18 Second

Description

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-269

 

Consequences

Access Control: Gain Privileges or Assume Identity

A user can be given or gain access rights of another user. This can give the user unauthorized access to sensitive information including the access information of another user.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2002-1772
    • Gain certain rights via privilege chaining in alternate channel.
  • CVE-2005-1973
    • Application is allowed to assign extra permissions to itself.
  • CVE-2003-0640
    • “operator” user can overwrite usernames and passwords to gain admin privileges.

CWE-267 – Privilege Defined With Unsafe Actions

Read Time:2 Minute, 14 Second

Description

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-269

 

Consequences

Access Control: Gain Privileges or Assume Identity

A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2002-1981
    • Roles have access to dangerous procedures (Accessible entities).
  • CVE-2002-1671
    • Untrusted object/method gets access to clipboard (Accessible entities).
  • CVE-2004-2204
    • Gain privileges using functions/tags that should be restricted (Accessible entities).
  • CVE-2000-0315
    • Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).
  • CVE-2004-0380
    • Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities).
  • CVE-2002-1154
    • Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities).
  • CVE-2002-1145
    • “public” database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions).
  • CVE-2000-0506
    • User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).
  • CVE-2002-2042
    • Allows attachment to and modification of privileged processes (Unsafe privileged actions).
  • CVE-2000-1212
    • User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions).
  • CVE-2005-1742
    • Inappropriate actions allowed by a particular role(Unsafe privileged actions).
  • CVE-2001-1480
    • Untrusted entity allowed to access the system clipboard (Unsafe privileged actions).
  • CVE-2001-1551
    • Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions).
  • CVE-2001-1166
    • User with debugging rights can read entire process (Unsafe privileged actions).
  • CVE-2005-1816
    • Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions).
  • CVE-2005-2173
    • Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions).
  • CVE-2005-2027
    • Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions).

CWE-266 – Incorrect Privilege Assignment

Read Time:1 Minute, 12 Second

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-269
CWE-286

 

Consequences

Access Control: Gain Privileges or Assume Identity

A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2005-2741
    • Product allows users to grant themselves certain rights that can be used to escalate privileges.
  • CVE-2005-2496
    • Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
  • CVE-2004-0274
    • Product mistakenly assigns a particular status to an entity, leading to increased privileges.

CWE-263 – Password Aging with Long Expiration

Read Time:41 Second

Description

Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.

Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with a new and different password.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-287
CWE-404

 

Consequences

Access Control: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that password aging is limited so that there is a defined maximum age for passwords and so that the user is notified several times leading up to the password expiration.

CVE References

CWE-262 – Not Using Password Aging

Read Time:57 Second

Description

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner.

Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause users to generate poor or predictable passwords. As such, it is important to discourage creating similar passwords. It is also useful to have a password aging mechanism that notifies users when passwords are considered old and requests that they replace them with new, strong passwords. Companion documentation which stresses how important this practice is can help users understand and better support this approach.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-287
CWE-404
CWE-309
CWE-263
CWE-324

 

Consequences

Access Control: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

As part of a product’s design, require users to change their passwords regularly and avoid reusing previous passwords.

CVE References

CWE-261 – Weak Encoding for Password

Read Time:33 Second

Description

Obscuring a password with a trivial encoding does not protect the password.

Password management issues occur when a password is stored in plaintext in an application’s properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-326

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase:

Description: 

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

CVE References

CWE-260 – Password in Configuration File

Read Time:35 Second

Description

The software stores a password in a configuration file that might be accessible to actors who do not know the password.

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-522

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid storing passwords in easily accessible locations.

Phase: Architecture and Design

Description: 

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

CVE References

CWE-26 – Path Traversal: ‘/dir/../filename’

Read Time:36 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/dir/../filename” sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE-259 – Use of Hard-coded Password

Read Time:1 Minute, 9 Second

Description

The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-798
CWE-798
CWE-798
CWE-321
CWE-257

 

Consequences

Access Control: Gain Privileges or Assume Identity

If hard-coded passwords are used, it is almost certain that malicious users will gain access through the account in question.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.

Phase: Architecture and Design

Description: 

For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password.

Phase: Architecture and Design

Description: 

Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

CVE References

CWE-258 – Empty Password in Configuration File

Read Time:45 Second

Description

Using an empty string as a password is insecure.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-260
CWE-521

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: System Configuration

Description: 

Passwords should be at least eight characters long — the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use “similar-looking” punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.

CVE References