CWE
Home > CWE List > CWE-250 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-250 Individual Dictionary Definition (Draft 9)

Design Principle Violation: Failure to Use Least Privilege
Weakness ID
Status: Draft

250 (Weakness Class)

Description

Summary

Failure to adhere to the principle of least privilege amplifies the risk posed by other weaknesses.

Context Notes

This weakness refers to cases in which an application grants greater access rights than necessary. Depending on the level of access granted, this may allow a user to access confidential information. For example, programs that run with root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause. Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another. Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage. To grant the minimum access level necessary, first identify the different permissions that an application or user of that application will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else.

If an application has this design problem, then it can be easier for the developer to make implementation-related errors such as CWE-271 (Privilege Dropping / Lowering Errors). In addition, the consequences of Privilege Chaining (CWE-268) can become more severe.

There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.

References

Jerome H. Saltzer and Michael D. Schroeder. "The Protection of Information in Computer Systems". Proceedings of the IEEE 63. September, 1975. <http://web.mit.edu/Saltzer/www/publications/protection/>.

Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html>.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class657Violation of Secure Design Principles
ChildOfCategoryCategory264Permissions, Privileges, and Access Controls
PeerOfWeakness ClassWeakness ClassWeakness Class271Privilege Dropping / Lowering Errors
PeerOfCategoryCategory265Privilege / Sandbox Issues
Source Taxonomies

7 Pernicious Kingdoms - Often Misused: Privilege Management

Applicable Platforms

All

Time of Introduction

Architecture and Design

Related Attack Patterns
CAPEC-IDAttack Pattern Name
69Target Programs with Elevated Privileges
Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us