CWE-276 – Incorrect Default Permissions

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: Medium

Related Weaknesses

CWE-732
CWE-732

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Phase: Architecture and Design

Description: 

CVE References

• CVE-2005-1941
  • Executables installed world-writable.

• CVE-2002-1713
  • Home directories installed world-readable.

• CVE-2001-1550
  • World-writable log files allow information loss; world-readable file has cleartext passwords.

• CVE-2002-1711
  • World-readable directory.

• CVE-2002-1844
  • Windows product uses insecure permissions when installing on Solaris (genesis: port error).

• CVE-2001-0497
  • Insecure permissions for a shared secret key file. Overlaps cryptographic problem.

• CVE-1999-0426
  • Default permissions of a device allow IP spoofing.