CWE-269: Improper Privilege ManagementWeakness ID: 269 Vulnerability Mapping:
DISCOURAGEDThis CWE ID should not be used to map to real-world vulnerabilities Abstraction: ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
Description The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. | ![Diagram for CWE-269](https://cdn.statically.io/img/cwe.mitre.org/data/images/CWE-269-Diagram.png) |
Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Access Control
| Technical Impact: Gain Privileges or Assume Identity | |
Potential Mitigations
Phases: Architecture and Design; Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. |
Phase: Architecture and Design Strategy: Separation of Privilege Follow the principle of least privilege when assigning access rights to entities in a software system. |
Phase: Architecture and Design Strategy: Separation of Privilege Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. |
Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 284 | Improper Access Control | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 250 | Execution with Unnecessary Privileges | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 266 | Incorrect Privilege Assignment | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 267 | Privilege Defined With Unsafe Actions | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 268 | Privilege Chaining | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 270 | Privilege Context Switching Error | ParentOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 271 | Privilege Dropping / Lowering Errors | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 274 | Improper Handling of Insufficient Privileges | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 648 | Incorrect Use of Privileged APIs |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Architectural Concepts" (CWE-1008) Nature | Type | ID | Name |
---|
MemberOf | Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1011 | Authorize Actors |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Architecture and Design | | Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. | Operation | |
Likelihood Of Exploit Demonstrative Examples Example 1 This code temporarily raises the program's privileges to allow creation of a new user folder. (bad code) Example Language: Python
def makeNewUserDir(username):
if invalidUsername(username):
#avoid CWE-22 and CWE-78
print('Usernames cannot contain invalid characters') return False
try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges()
except OSError: print('Unable to create new user directory for user:' + username) return False
return True
While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur. Example 2 The following example demonstrates the weakness. (bad code) Example Language: C
seteuid(0);
/* do some stuff */
seteuid(getuid());
Example 3 The following example demonstrates the weakness. (bad code) Example Language: Java
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
System.loadLibrary("awt"); return null;
// nothing to return
}
Example 4 This code intends to allow only Administrators to print debug information about a system. (bad code) Example Language: Java
public enum Roles { ADMIN,USER,GUEST }
public void printDebugInfo(User requestingUser){
if(isAuthenticated(requestingUser)){
switch(requestingUser.role){
case GUEST: System.out.println("You are not authorized to perform this command"); break;
default: System.out.println(currentDebugState()); break;
}
} else{ System.out.println("You must be logged in to perform this command"); }
}
While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system. Example 5 This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords. (bad code) Example Language: Java
public enum Roles { ADMIN,OPERATOR,USER,GUEST }
public void resetPassword(User requestingUser, User user, String password ){
if(isAuthenticated(requestingUser)){
switch(requestingUser.role){
case GUEST: System.out.println("You are not authorized to perform this command"); break;
case USER: System.out.println("You are not authorized to perform this command"); break;
default: setPassword(user,password); break; }
}
else{ System.out.println("You must be logged in to perform this command"); }
}
This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account. Observed Examples Reference | Description |
| Terminal privileges are not reset when a user logs out. |
| Does not properly pass security context to child processes in certain cases, allows privilege escalation. |
| Does not properly compute roles. |
| untrusted user placed in unix "wheel" group |
| Product allows users to grant themselves certain rights that can be used to escalate privileges. |
| Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. |
| Product mistakenly assigns a particular status to an entity, leading to increased privileges. |
| FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. |
| OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. |
| Composite: application running with high privileges ( CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file ( CWE-209). |
| Installation script installs some programs as setuid when they shouldn't be. |
| Roles have access to dangerous procedures (Accessible entities). |
| Untrusted object/method gets access to clipboard (Accessible entities). |
| Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). |
| User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). |
Weakness Ordinalities Ordinality | Description |
Primary | (where the weakness exists independent of other weaknesses) |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: DISCOURAGED (this CWE ID should not be used to map to real-world vulnerabilities) | Reason: Frequent Misuse | Rationale: CWE-269 is commonly misused. It can be conflated with "privilege escalation," which is a technical impact that is listed in many low-information vulnerability reports [REF-1287]. It is not useful for trend analysis. | Comments: If an error or mistake allows privilege escalation, then use the CWE ID for that mistake. Avoid using CWE-269 when only phrases such as "privilege escalation" or "gain privileges" are available, as these indicate technical impact of the vulnerability - not the root cause weakness. If the root cause seems to be directly related to privileges, then examine the children of CWE-269 for additional hints, such as Execution with Unnecessary Privileges (CWE-250) or Incorrect Privilege Assignment (CWE-266). |
Notes Maintenance The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources ( CWE-664) and protection mechanism failures ( CWE-693). Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
PLOVER | | | Privilege Management Error |
ISA/IEC 62443 | Part 2-4 | | Req SP.03.08 BR |
ISA/IEC 62443 | Part 3-2 | | Req CR 3.1 |
ISA/IEC 62443 | Part 3-3 | | Req SR 1.2 |
ISA/IEC 62443 | Part 3-3 | | Req SR 2.1 |
ISA/IEC 62443 | Part 4-1 | | Req SD-3 |
ISA/IEC 62443 | Part 4-1 | | Req SD-4 |
ISA/IEC 62443 | Part 4-1 | | Req SI-1 |
ISA/IEC 62443 | Part 4-2 | | Req CR 1.1 |
ISA/IEC 62443 | Part 4-2 | | Req CR 2.1 |
References
[REF-44] Michael Howard, David LeBlanc
and John Viega. "24 Deadly Sins of Software Security". "Sin 16: Executing Code With Too Much Privilege." Page 243. McGraw-Hill. 2010.
|
[REF-62] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 9, "Dropping Privileges Permanently", Page 479. 1st Edition. Addison Wesley. 2006.
|
|
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | PLOVER | | | Contributions |
---|
Contribution Date | Contributor | Organization |
---|
2023-06-29 (CWE 4.12, 2023-06-29) | "Mapping CWE to 62443" Sub-Working Group | CWE-CAPEC ICS/OT SIG | Suggested mappings to ISA/IEC 62443. | 2024-02-29 (CWE 4.15, 2024-07-16) | Abhi Balakrishnan | | Provided diagram to improve CWE usability | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Time_of_Introduction | 2008-09-08 | | CWE Team | Moved this entry higher up in the Research view. | 2008-09-08 | CWE Content Team | MITRE | updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities | 2009-05-27 | CWE Content Team | MITRE | updated Name | 2009-12-28 | CWE Content Team | MITRE | updated Potential_Mitigations | 2010-06-21 | CWE Content Team | MITRE | updated Potential_Mitigations | 2011-03-29 | CWE Content Team | MITRE | updated Description, Relationships | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated References, Relationships | 2012-10-30 | CWE Content Team | MITRE | updated Potential_Mitigations | 2013-02-21 | CWE Content Team | MITRE | updated Potential_Mitigations | 2017-11-08 | CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type | 2019-06-20 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2019-09-19 | CWE Content Team | MITRE | updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships | 2020-02-24 | CWE Content Team | MITRE | updated Observed_Examples, Relationships | 2020-08-20 | CWE Content Team | MITRE | updated Relationships | 2021-03-15 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2022-04-28 | CWE Content Team | MITRE | updated Relationships | 2022-10-13 | CWE Content Team | MITRE | updated References | 2023-01-31 | CWE Content Team | MITRE | updated Description | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes, Relationships, Taxonomy_Mappings | 2024-07-16 (CWE 4.15, 2024-07-16) | CWE Content Team | MITRE | updated Diagram | Previous Entry Names |
---|
Change Date | Previous Entry Name |
---|
2008-09-09 | Privilege Management Error | | 2009-05-27 | Insecure Privilege Management | |
More information is available — Please edit the custom filter or select a different filter.
|